Coupang — South Korea customer data exposure

What happened

On 19 November 2025 Coupang, the largest e-commerce platform in South Korea, filed a personal-data incident notification with the Korean Personal Information Protection Commission. The disclosure stated that an unauthorised actor had accessed customer records over an extended period. Successive disclosures and the Korean government’s investigation expanded the scope: 33.7 million customer accounts had been touched by the attacker — nearly two-thirds of South Korea’s population — and the company had been compromised since 24 June 2025, a dwell time of close to five months before detection.

Exposed fields included names, email addresses, phone numbers, physical addresses and order history. Subsequent reporting added door access codes for some customers, captured by Coupang’s Rocket Delivery last-mile service. Payment data was not in scope, according to the company’s regulator filings. Coupang has stated that of the 33 million accounts queried, the attacker retained data on around 3,000 — a framing the Korean government has publicly disputed.

Korean police identified the principal suspect in February 2026 as a 43-year-old Chinese national who had worked in Coupang’s IT department from November 2022, including on the authentication management system, and left the firm at some point in 2024. According to police findings, he retained access to internal systems after leaving, used overseas servers to operate, and exfiltrated approximately 1.7 GB of customer data, including in some cases encryption keys and authentication material. A search warrant has been issued; the suspect is believed to be in China.

The political and corporate fallout has been severe. Coupang Corp’s Korean CEO Park Dae-jun resigned on 10 December 2025; Coupang Inc., the US-listed parent, appointed Harold Rogers as interim CEO. Korean police raided Coupang’s Seoul headquarters in early December, returning for a second day shortly afterwards. The Personal Information Protection Commission has publicly disputed Coupang’s framing of the incident. Lawmakers have indicated that fines under the Personal Information Protection Act could reach ₩1 trillion. A shareholder lawsuit was filed against Coupang in the United States. The company announced a ₩1.17 trillion compensation programme split among affected users in late December 2025.

How it worked

The attack is structurally an insider-access-retention failure rather than an external intrusion. The suspect had been a privileged user of Coupang’s authentication management system as part of his day job. When he left the company in 2024, the offboarding process did not fully revoke the access he had accumulated — either because credentials were not rotated, or because keys he had legitimately handled remained valid in production systems, or because there was no comprehensive inventory of the access he had been granted. The Korean investigation has not yet published the full technical detail of which credentials remained valid for what reason, but the public framing — “exploited stolen encryption keys and authentication vulnerabilities” — points at material taken at exit and not subsequently invalidated.

The initial extraction began on 24 June 2025, around eight months after the suspect’s departure. From that point until 18 November 2025 — close to five months — the attacker queried customer records on a regular basis through overseas servers. Coupang’s SOC did not detect the extraction during that window. The eventual detection appears to have been triggered by an external signal rather than internal monitoring; what specifically triggered it has not been publicly disclosed.

Two technical conditions made this case a five-month dwell rather than a five-day one. First, the access path the attacker used was the same path he had used in his job — same credentials, same systems, same query patterns at the data-store level. The behavioural anomaly was the geographical and temporal context (queries from external infrastructure, by a credential that should have been revoked at offboarding), not the queries themselves. Detecting that pattern requires correlating the credential’s identity-and-access history with its current network context, continuously, which most enterprises do not do. Second, the queries were paced. The attacker did not extract 33 million records in a single rush; the operation was spread over months, plausibly to stay below volumetric thresholds Coupang’s tooling might have been monitoring.

The wider question — why a former IT engineer’s credentials remained valid against the authentication system itself for eight months after his departure — is the central control failure. The system whose keys were used was, by description, the system that issues authentication and authorisation tokens for the rest of the platform. Compromise of that system is a god-mode position. That a departing engineer with privileged access to it could leave the company with viable credentials still active is the architectural finding the Korean investigation is building its case around.

Timeline

• November 2022 — Suspect joins Coupang, assigned to the authentication management system in the IT department.
• 2024 — Suspect leaves Coupang. Departure offboarding does not fully revoke his access to the authentication system.
• 24 June 2025 — Unauthorised access begins. Customer-data extraction commences via overseas infrastructure.
• 24 June – 18 November 2025 — Five months of undetected extraction. Coupang SOC does not surface the activity. Approximately 33 million customer accounts queried; data retained on around 3,000.
• 18 November 2025 — Coupang detects the unauthorised access.
• 19–20 November 2025 — Coupang reports the incident to the Personal Information Protection Commission; formal notification of data leakage filed.
• Early December 2025 — Korean Personal Information Protection Commission opens formal investigation. Seoul Metropolitan Police raid Coupang’s headquarters; return for a second day shortly afterwards.
• 10 December 2025 — Park Dae-jun, Coupang Corp Korea CEO, resigns. Coupang Inc. names Harold Rogers as interim CEO.
• Late December 2025 — Coupang announces ₩1.17 trillion compensation programme for affected users. US shareholder lawsuit filed against Coupang Inc.
• February 2026 — Korean government joint task force publishes initial findings; identifies 43-year-old Chinese national former IT employee as primary suspect. Search warrant issued; suspect believed to be in China.

What defenders should learn

The Coupang case is a procedural-control failure dressed up in technical language. The technical action — querying customer records through an authentication system using valid credentials — is operationally normal. The procedural failure — those credentials being valid eight months after the credential-holder had left the company — is the underlying cause. Every other technical detail is downstream of that failure.

The first lesson is the offboarding inventory. For privileged staff handling identity, authentication or authorisation systems, the inventory of what credentials, keys, certificates, signing material and direct-access pathways the staff member has touched needs to be tracked through their tenure, not reconstructed at departure. Organisations that attempt to enumerate access only at the point of offboarding routinely miss material that the departing engineer themselves might not even remember they have. The control inventory should be continuous, validated against the production environment, and re-validated at departure. For the authentication system specifically — the system that issues identity to the rest of the platform — the rotation of any keys touched by a departing engineer should be automatic and non-negotiable.

The second is detection of legitimate-credential abuse. The attacker in this case was not exhibiting a behaviour that would trip a content-based or volumetric anomaly easily — paced queries, plausible source IPs, valid credentials. The signal that distinguishes this attack from normal operation is contextual: the credential is held by a former employee, operating from an unexpected geography, against systems the credential should not still be reaching. Identity-aware monitoring — UEBA over identity logs, geolocation-and-network correlation, deactivated-credential trip-wires — exists to catch exactly this pattern. The Coupang SOC’s miss reflects either the absence of those capabilities or their misconfiguration; either way, the corrective is clear.

The third is the wider regulatory point. The South Korean government’s reaction to this incident — the speed of the investigation, the willingness to publicly contradict Coupang’s framing, the size of the threatened fine, the pace of CEO accountability — is unusual by most jurisdictions’ standards but probably representative of where the global trend is heading. DORA, the FCA’s operational-resilience regime and equivalents elsewhere are converging on a posture where insider control failures of this magnitude attract personal accountability for executive decision-makers and material financial penalties for the firm. Coupang is the early case study in what that looks like at scale.