S. Korea Blames Coupang Data Breach on Management Failure, Not Sophisticated Attack

South Korean officials blamed a massive data leak last year at Coupang on management failure, rather than a sophisticated cyberattack, and urged the e-commerce giant to fix vulnerabilities in its security systems.

Announcing the first findings of a government-led probe, the Science Ministry said on Tuesday a former Coupang engineer, who was aware of flaws in the authentication process, broke into the system in April, a breach that lasted until November. The same person had attempted to gain access in January, it said.

Coupang Korea, operated by U.S.-listed Coupang Inc., faced a public and lawmaker backlash over the breach. The incident added to trade friction with Washington over concerns Korean authorities had gone beyond normal regulatory enforcement in its treatment of the U.S.-listed company.

Read more: Coupang Confirms More Data Leaks Which South Korean Aide Says Has ‘Shaken’ US Ties

“It’s more of a management problem than an advanced attack,” Choi Woo-hyuk, deputy minister for cyber security and network policy, told a press conference, citing lax oversight of authentication systems.

The ministry said the leak exposed personal data of about 33.7 million customers, and that a delivery-address list page, containing names and phone numbers, was viewed around 150 million times.

“The attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorized information leaks,” the ministry said.

It also called on the police to investigate Coupang for trying to “restrict” the investigation by deleting some data, accusing the company of defying a government order to preserve data.

Coupang did not immediately respond to a request for comment.

The company has previously said that the leak involved contact details, but that no payment details or login information were compromised. It also said users had been notified as per government guidance.

‘Coupang Needs Tighter Security’

The ministry accused the former employee, who left the firm in November 2024, of stealing an internal security key, known as a signing key, which it said was used to generate fake login tokens and gain unauthorized access to customer accounts.

It said the staff member had designed and developed parts of Coupang’s user authentication system, and the company had failed to invalidate the developer’s signing key after the person left the company, which it said was not an adequate security system.

“Coupang needs to introduce a detection and blocking system for electronic access cards that do not go through the normal issuance process,” the ministry said.

It added that it could not comment on whether more than one person was involved in the breach and needed to wait for the results of a police investigation.

South Korean Justice Minister Jung Sung-ho said in January that an arrest warrant had been issued in December for a Chinese national who had previously worked at Coupang.

Arrest Warrant

The police investigation is ongoing and the personal data watchdog is also investigating the incident.

Coupang faces a tax audit in South Korea and a legal complaint filed by the country’s parliament against its founder and former executives after they failed to show up for parliamentary hearings last year.

The ministry accused Coupang of violating the information-network law by failing to report the breach within the required 24-hour period and it planned to impose an administrative fine of up to 30 million won ($20,596) under the law.

Coupang reported the data breach to its chief information security officer at 4:00 p.m. local time on November 17 and reported it to authorities at 9:35 p.m. on November 19, the ministry said, a period of more than 53 hours.

(Reporting by Heekyong Yang and Hyunjoo Jin,; additional reporting by Heejin Kim; editing by Ed Davies)

Related: