South Korean officials blamed a massive data leak last year at Coupang on management failure, rather than a sophisticated cyberattack, and urged the e-commerce giant to fix vulnerabilities in its security systems.
Announcing the first findings of a government-led probe, the Science Ministry said on Tuesday a former Coupang engineer, who was aware of flaws in the authentication process, broke into the system in April, a breach that lasted until November. The same person had attempted to gain access in January, it said.
Coupang Korea, operated by U.S.-listed Coupang Inc., faced a public and lawmaker backlash over the breach. The incident added to trade friction with Washington over concerns Korean authorities had gone beyond normal regulatory enforcement in their treatment of the U.S.-listed company.
“It’s more of a management problem than an advanced attack,” Choi Woo-hyuk, deputy minister for cyber security and network policy, told a press conference, citing lax oversight of authentication systems.
“The attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorized information leaks,” the ministry said.
It also called on the police to investigate Coupang for trying to “restrict” the investigation by deleting some data, accusing it of defying a government order to preserve data.
The ministry said the leak exposed personal data of about 33.7 million customers, including names and phone numbers.
Coupang said in a statement that it would “take all necessary steps to prevent further harm and continue strengthening safeguards to prevent a recurrence.”
It said a software program written by the former employee generated around 140 million queries but there was no evidence that any other party had accessed or viewed the data, which did not include payment or login information.
Coupang reiterated that data retained from around 3,000 user accounts was later deleted, adding there was no evidence any secondary harm had arisen.
‘Coupang Needs Tighter Security’
The ministry accused the former employee, who left the firm in November 2024, of stealing an internal security key, known as a signing key, which it said was used to generate fake login tokens and gain unauthorized access to customer accounts.
It said the staff member had designed and developed parts of Coupang’s user authentication system, and the company had failed to immediately invalidate the developer’s signing key after they left the company, which it said was not an adequate security system.
“Coupang needs to introduce a detection and blocking system for electronic access cards that do not go through the normal issuance process,” the ministry said.
It added that it could not comment on whether more than one person was involved in the breach and needed to wait for the results of a police investigation.
South Korean Justice Minister Jung Sung-ho said in January that an arrest warrant had been issued in December for the Chinese national who had previously worked at Coupang.
Arrest Warrant
The police investigation is ongoing and the personal data watchdog is also investigating the incident.
Coupang faces a tax audit in South Korea and a legal complaint filed by the country’s parliament against its founder and former executives after they failed to show up for parliamentary hearings last year.
The ministry accused Coupang of violating the information-network law by failing to report the breach within the required 24-hour period and it planned to impose an administrative fine of up to 30 million won ($20,596) under the law.
Coupang reported the data breach to its chief information security officer at 4:00 p.m. local time on November 17 and reported it to authorities at 9:35 p.m. on November 19, the ministry said, a period of more than 53 hours.
(Reporting by Heekyong Yang and Hyunjoo Jin, Additional reporting by Heejin Kim and Kyu-seok ShimEditing by Ed Davies, Kirsten Donovan)
