The personal data leak at Coupang last year turned out to be due to clear management negligence: Coupang failed to immediately rotate the certificate signing key even after the developer in charge of authentication-related tasks left the company. The Ministry of Science and ICT (public-private joint investigation team) announced the final investigation results on the Coupang breach at Government Complex Seoul on the 10th. According to the Ministry of Science and ICT, information on about 33,673,817 customers was leaked at Coupang from Apr. 14 to Nov. 8 last year. A former employee accessed Coupang's web pages and leaked user information. Coupang said in its own investigation late last year that about 3,000 accounts were affected, but the actual damage was far greater. The Ministry of Science and ICT referred Coupang's violation of a data preservation order to law enforcement and plans to impose fines for the delayed breach report.
In detail, 33,673,817 user records, including names and emails, were leaked from Coupang's "edit my information" page. Numerous instances of personal information inquiries in violation of the Personal Information Protection Act also occurred. The delivery address list page, which included names, phone numbers, addresses, and front-door access codes de-identified with special characters, was viewed 1,480,565,02 times, leading to information leakage. The delivery address list page contained many details about third parties such as family members and friends, including their names, phone numbers, and delivery addresses, in addition to those of the account owner. The delivery address edit page, which included names, phone numbers, addresses, and front-door access codes, was also accessed 50,474 times, and the order list page, which included items recently ordered by users, was queried by the attacker 102,682 times.
The investigation team estimated the scale of the leak based on web access logs, and the final scope of the personal data breach will be confirmed and announced by the Personal Information Protection Commission.
◇ Information stolen through Coupang's "weak server authentication and management system"… "system still insufficient"
The former Coupang employee (the attacker) who caused the personal data leak exploited weak authentication vulnerabilities and a lax, absent management system on Coupang's servers to obtain personal information. The investigation team confirmed, through forensic analysis of the attacker's PC storage devices (two HDDs and two SSDs), that Coupang's unique user identifiers and forged "electronic badges" were present. The former employee was a software developer who, while at Coupang, designed and developed the user authentication system for backups and system failure responses. This person was more aware than anyone of vulnerabilities in Coupang's authentication and signing key management systems. After leaving the company, the person used the signing key and internal information of the user authentication system stolen at the time to forge and alter "electronic badges." Then, by using them to pass through Coupang's authentication without normal login procedures, the person conducted meticulous pretests for a full-scale attack from Jan. 5 to 20.
About three months later, starting on Apr. 14, a large-scale data exfiltration continued for seven months. The attacker used an automated web crawling tool to leak large volumes of information. In the process, the attacker used a total of 2,313 IPs. The Ministry of Science and ICT also confirmed that the attacker wrote attack scripts capable of collecting information and transmitting it to external servers. They also confirmed a function that could transmit leaked information (such as order lists) to an overseas cloud server after logging into others' accounts without authorization using forged "electronic badges." However, the ministry said it could not confirm whether actual data transmission occurred because no records remain.
During this process, there were no verification procedures for forgery and alteration related to "electronic badges" within Coupang. When a person in charge leaves the company, Coupang should have conducted a rotation process to prevent further use of the relevant signing key, but the related system and procedures were inadequate. In this incident, Coupang repeatedly used the same server user identifier and failed to detect or block data exfiltration via abnormal accesses using forged "electronic badges," even though such accesses occurred.
Still, Coupang's authentication and key management systems remain insufficient. Even after the incident, Coupang sought solutions only for issues found through penetration testing and did not conduct a comprehensive review of overall problems such as improving the user authentication system for servers. The investigation team also confirmed through forensic analysis of a developer's laptop used during employment that, despite keys being required to be stored only in the key management system, the signing key was stored (hard-coded) on the developer's laptop. In addition, Coupang lacked a signing key history management system, making it impossible to identify use for unintended purposes. Furthermore, when the investigation team reviewed the Information Security and Personal Information Protection Management System certification (ISMS-P), they found that Coupang did not separate development and operations and granted developers access rights to the "key management system" in actual operation. In particular, the internal rules only defined the key lifetime as a three-year cycle, while the establishment of detailed operating procedures, such as replacement due to changes in user information, was insufficient.
The Ministry of Science and ICT said, "A detection and blocking system for 'electronic badges' should be introduced, the authentication key management and control system should be strengthened, operating standards should be clarified, and routine inspections should be conducted," adding, "Monitoring to detect abnormal access should be reinforced, and policies for log storage and management should be established and refined."
◇ Fines for delayed reporting, investigation requested for violating data preservation order
The Ministry of Science and ICT referred Coupang's violation of the data preservation order to law enforcement and plans to impose fines for the delayed report of the breach under the Act on Promotion of Information and Communications Network Utilization and Information Protection.
Coupang reported the breach to the Korea Internet & Security Agency (KISA) at 9:35 p.m. on Nov. 19 last year. However, that was more than 24 hours after the breach was reported to Coupang's chief information security officer (CISO) at 4 p.m. on Nov. 17 last year. Data preservation was also not observed. Immediately after the breach was reported, at 10:34 p.m. on Nov. 19 last year, the Ministry of Science and ICT ordered Coupang to preserve data for cause analysis under the Act on Promotion of Information and Communications Network Utilization and Information Protection. However, despite the preservation order, Coupang did not adjust its automatic log storage policy for its own access logs, resulting in the deletion of about five months' worth of web access logs (July–Nov. 2024). In addition, application access log data from May 23 to June 2, 2025, were also deleted.
An official at the Ministry of Science and ICT said, "Coupang will be required to submit an implementation plan for recurrence prevention measures within this month, and we plan to check implementation between June and July this year," adding, "If items requiring supplementation are found as a result of the on-site inspection, we plan to order corrective action under Article 48-4 of the Act on Promotion of Information and Communications Network Utilization and Information Protection."