Coupang Inc., the U.S.-listed e-commerce giant often called the Amazon of South Korea, suffered a data breach that exposed personal information belonging to more than 33 million users, according to preliminary findings released by the government, in a case authorities say stemmed from weaknesses in the company’s authentication systems.
Investigators also found that delivery-address information was accessed roughly 150 million times, dramatically widening the potential circle of people whose data may have been compromised because recipients often include family members, neighbors and friends.
The Ministry of Science and ICT said Jan. 10 that a joint public-private probe concluded the intrusion was carried out by a former employee over a period of months. The individual allegedly exploited vulnerabilities in the way the company issued and verified digital access credentials, allowing repeated entry into customer-information pages without proper authorization.
Authorities reviewed about 25.6 terabytes of surviving web-access logs—roughly 664 billion records—covering activity through Nov. 29, 2024. They determined that about 33.67 million sets of user data, including names and email addresses, were downloaded via Coupang’s “Edit My Information” function.
The figure is slightly below an earlier government estimate of 33.7 million, though it excludes another 165,000 accounts the company had previously disclosed. Regulators said the Personal Information Protection Commission will announce the final tally after additional verification.
Beyond basic profile data, investigators said the attacker entered Coupang’s delivery-address database about 148 million times. Exposed information included names, phone numbers and street addresses, along with partially masked shared-entry codes used at many South Korean apartment complexes.
Because those codes can be exploited in follow-on crimes, officials consider them particularly sensitive. They were viewed more than 50,000 times, while recent order histories were accessed about 100,000 times. Payment data wasn’t taken, and authorities said they have not yet identified confirmed cases of secondary misuse.
The confirmed scale of the intrusion was smaller than what the former employee claimed in an email sent to Coupang in late November. In that message, the individual alleged access to more than 120 million delivery records and 560 million order entries.
According to the ministry, the suspect had worked as a developer responsible for backup authentication arrangements during system outages. Investigators said he began mapping vulnerabilities as early as January 2024, tested potential attack routes and started extracting information in earnest on April 14, using automated web-crawling programs and multiple internet addresses until early November.
Officials said they have not confirmed whether the data was transferred to outside cloud infrastructure. While some local reports have speculated about the suspect’s nationality, the investigative team declined to comment, saying that determination belongs to police.
Regulators were blunt in their assessment of the company’s safeguards. They said Coupang failed to recognize patterns of abnormal access even as large volumes of data were being removed. Internal security reviews had previously warned that improperly issued tokens could be abused, investigators added, but corrective steps were insufficient.
Authorities ordered the company to tighten monitoring, strengthen control of authentication keys and conduct recurring audits to ensure its own policies are followed.
The government also intends to levy an administrative penalty, arguing that Coupang violated a rule requiring major cyber incidents to be reported within 24 hours. Officials said the company informed regulators on Nov. 19 at 9:35 p.m., nearly two days after notifying its chief information security officer internally.
In a further rebuke, the ministry referred the company for investigation after saying it failed to preserve evidence, leading to the deletion of roughly five months of web logs and leaving gaps in application records from late May to early June.
Despite holding South Korea’s Information Security Management System certification, Coupang was found to have weak separation of access privileges and inadequate encryption practices. Regulators warned the credential could be revoked if mandated improvements aren’t completed.
The company must submit a comprehensive prevention plan by the end of this month, with follow-up inspections scheduled through July.
For investors, the episode lands at a delicate moment. Coupang has been expanding logistics capacity and pushing into new services while marketing itself as a technology-driven platform with world-class infrastructure. The breach, and the government’s unusually detailed criticism, risks shifting attention from growth to governance—and to whether internal controls have kept pace with the company’s scale.
