South Korea Demands Coupang Fix ‘Astonishing’ Security Flaws After Massive Data Leak

South Korean authorities have dropped a cybersecurity bombshell on e-commerce giant Coupang, demanding the company immediately address a startling catalog of security vulnerabilities following a data breach that compromised the personal information of nearly its entire customer base. This isn’t just a minor technical hiccup; officials have publicly described the incident as the most serious data breach in the country’s e-commerce history.

The Shocking Scope of the Leak

The scale of the breach is, frankly, staggering. The investigation confirmed that approximately 33.7 million user records were leaked, a figure that rivals the total population of South Korea. The exposed information includes highly sensitive details such as customer names, phone numbers, email addresses, delivery addresses, and full order histories. Imagine the risk of phishing and targeted scams using that level of detail. While the company stated that payment information and account passwords remained secure, the wealth of personal data that was stolen poses a significant privacy threat.

The Culprit: A Former Employee and Flawed System

What makes this story particularly alarming are the specific security failures that enabled the attack. The breach has been attributed to a former Coupang employee who, after leaving the company, exploited deep flaws in the internal credential management system. The key loophole? Cryptographic signing keys—essentially “electronic access passes”—belonging to the former developer were never revoked or rotated after their departure. This allowed the ex-employee to forge credentials, bypass standard authentication procedures, and scrape massive volumes of data for months without detection.

The government’s joint investigation team pointed to this “lax management system” as a clear case of negligence. Their findings highlight a severe lack of basic security hygiene: unverified forged credentials, a failure to block repeated unauthorized access, and key developer credentials left active after the developer’s employment ended. The Ministry of Science and ICT also noted that Coupang was late in reporting the breach—a direct violation of the legal 24-hour reporting window—and even deleted some access logs despite a formal preservation order, an action that led to a criminal referral.

The High Cost of Security Lapses

The fallout for the company, often called “South Korea’s Amazon,” is immense. Regulators have ordered Coupang to submit a detailed plan outlining its corrective measures to prevent future incidents. The legal and financial penalties could be enormous, as South Korea’s Personal Information Protection Act allows for fines up to 3 percent of a company’s average annual revenue for such violations. For Coupang, that could translate to hundreds of millions of dollars in penalties. Separately, the company is already facing a US securities class action lawsuit alleging it misled investors about its data security practices.

Coupang has apologized to its customers and announced a plan to strengthen its defenses, which reportedly includes a significant compensation plan aimed at restoring trust among the millions of affected users. However, for a nation that relies heavily on its dominant e-commerce provider, the road to rebuilding public confidence will be a long one, starting with fixing the basic security doors that were left wide open.