South Korea on Tuesday told Coupang to urgently close security loopholes after a government probe linked a major data breach to failures in the company’s user authentication systems.
Coupang suffered one of South Korea’s worst data breaches, and this has increased trade friction with the US after officials in Washington expressed concern over the treatment of US tech firms.
Now, the findings place renewed pressure on the e-commerce giant as regulators scrutinize how personal data was protected and reported. This also comes as both the police and the country’s data watchdog continue with investigations into the matter.
Probe identifies authentication failures
The Ministry of Science and ICT said early in January 2025 that an individual was trying to gain unauthorized access into Coupang’s systems by exploiting usability issues related to authentication. Investigators noted this occurred prior to any indication of a breach publicly occurring.
“The attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorised information leaks,” the ministry said.
They have been able to determine that the individual was able to obtain unauthorized access to users’ accounts via the exploitation of the vulnerabilities in the authentication process, which resulted in the breach of confidential information of about 33.7 million customers.
The ministry determined that the data breach followed the misuse of an internal employee’s security signing key for the purposes of generating counterfeit authentication tokens by an employee who left in November 2024.
It said the staff member had designed and developed parts of Coupang’s user verification, and the company failed to provide a level of protection against this employee being able to obtain access to these customers’ confidential account data.
“The verification system for forged or altered electronic access cards was inadequate, making it difficult to detect or block the attacks in advance,” the ministry said.
In December 2025, Coupang confirmed that it will compensate customers affected by a recent user data breach, pledging over $1.17 billion in vouchers. The company emphasized that the breach only affected customer names, email addresses, some order histories, and home addresses, not payment and login details.
Regulators demand Coupang system upgrades
Authorities have ordered Coupang to implement advanced technology that enables the detection and blocking of electronic access cards received outside of the standard issuance process.
“The Ministry of the Interior and Safety has directed Coupang to install detection and blocking tools for electronic access cards that were not issued through the regular issuance process,” said the ministry.
The police and the Personal Data Authority have undertaken their independent investigations into the alleged incident.
The Ministry of Interior also accused Coupang of violating information network laws by failing to report the incident within the required 24-hour period. The regulatory body claimed that the company’s knowledge of the intrusion occurred on November 17, but they did not report anything until November 19.
The ministry is currently determining whether to impose an administrative penalty of up to 30 million won ($20,596). The ministry has referred the allegation of spoliation of data to the appropriate division for review. Coupang has not made any public statements regarding the outcome of the investigation.