Coupang may face fines of up to $1 bn if negligence is tied to data theft

Graphics by AJP Song Ji-yoon
 SEOUL, December 01 (AJP) - South Korea’s largest e-commerce platform Coupang faces a wave of criminal and civil lawsuits, alongside potential fines that could exceed $1 billion, if authorities confirm corporate negligence in the massive data theft allegedly carried out by a former employee of Chinese nationality.

Under the Personal Information Protection Act, strengthened in 2023, regulators may impose penalties of up to 3 percent of annual revenue for data-protection violations. Coupang reported $9.27 billion in revenue in the quarter ended September, bringing its trailing 12-month revenue to $33.66 billion — meaning fines could surpass $1 billion. The figure could rise further if authorities opt to combine the revenues of Coupang Play and Coupang Eats.

Coupang said customer names, email addresses, mobile numbers, shipping addresses and some order histories were stolen. Payment details, credit-card numbers and login credentials were not compromised, it added.

“We sincerely apologize once again for causing inconvenience to our customers,” said Coupang CEO Park Dae-jun, in a statement on the company’s website.

While Coupang did not identify a suspect in its police filing, internal probes point to a former Chinese national employee who had already left the company — and the country — according to people familiar with the matter.

The individual reportedly departed Coupang in October and has since left South Korea, complicating investigative efforts. The suspect allegedly emailed customers photos of their order histories and phone numbers with the message “I know your personal information”, triggering complaints that set off Coupang’s internal review.
 Graphics by AJP Song Ji-yoon
Long-neglected authentication keys at the center of the breach

Investigators found that the breach may have been enabled by outdated authentication keys that should have been deleted or renewed when the employee exited the company. The suspect may have exploited access token signature keys, bypassing normal login procedures to reach customer data.

Security analysts say the compromised tokens were likely administrative tokens with extended validity, not ordinary user tokens that typically expire within 30 minutes to an hour. This would have allowed prolonged, unauthorized access.

Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, said Coupang failed to renew key signature files after the employee’s departure, leaving them valid for five to ten years.

“Signature key renewal is the most basic internal security procedure, yet Coupang failed to follow it,” Choi said. “This is not simply an employee’s misconduct but the result of deep organizational failings.”

In the breach, access tokens functioned like entry passes, while signature keys served as the stamps that validate them. Prolonged neglect of the stamps allowed someone to continue entering undetected — “like repeatedly using stamped entry passes without authorization,” one analyst said.
 A Coupang delivery truck parked near its company's logistics warehouse, Dec. 1, 2025. Yonhap
Government: Attacker exploited authentication weaknesses

Science and ICT Minister Bae Kyung-hoon said at an emergency meeting on Nov. 30 that attackers exploited authentication flaws to access customer data without standard login processes.

“The attacker took advantage of weaknesses in Coupang’s server authentication to access over 30 million customer accounts,” Bae said.

The Ministry of Science and ICT has formed a joint public-private investigation team, while the Personal Information Protection Commission (PIPC) said it would impose strong sanctions if violations of safety-management obligations are confirmed.

Coupang initially reported just 4,500 affected customers when it notified the Korea Internet and Security Agency on Nov. 20. The figure surged to 33.7 million as investigators uncovered far broader exposure stretching from June to November.

Coupang, which reported 24.7 million active commercial users in the third quarter, said the breach likely affected data from former and dormant accounts as well. The company employs about 10,000 office staff, with personal-information access restricted to a small number of IT employees with elevated permissions.

Experts say the breach highlights critical vulnerabilities in Coupang's internal security management.

"Zero-trust principles are essential for data security these days. Even insiders should be monitored carefully," said Kim Ki-hyung, a cybersecurity professor at Ajou University. "Access to highly sensitive data should not be concentrated among a select few senior managers. Each individual managers should only be able to view minimal portions of the data they need."
Kim Dong-young Business Reporter davekim0807@ajupress.com