South Korea blames Coupang leadership for breach of 33m user accounts

The South Korean government on Tuesday accused the management team of e-commerce giant Coupang for trying to play down the severity of a massive data breach in November that compromised over 33 million customer accounts.

 

The Ministry of Science and ICT said Tuesday that the local leadership team of the U.S.-listed e-commerce company massively played down the severity of the data breach, claiming that about 3,000 user accounts had been compromised.

 

A joint public-private investigation led by the science ministry into the data breach revealed that as many as 33.6 million customer accounts had been exposed to unauthorised third parties, representing the entirety of Coupang’s South Korean user base.

 

"The science ministry concluded the incident as being a major breach case leading to a massive leak of information involving the country’s top online commerce platform," said Choi Woo-hyuk, director general of the ministry’s cybersecurity bureau, at a press conference.

 

The ministry accused Coupang’s leadership of delaying its reporting of the data breach, failing to preserve key evidence and failing to pursue a formal investigation on time. 

 

"This was apparently a matter of management, not a sophisticated attack," Choi said as quoted by the Yonhap news agency. "Coupang needs to bolster its monitoring of abnormal access as part of recurrence prevention measures, carry out an analysis of the cause of the incident and establish and implement a log retention policy."

 

The ministry’s statement follows a major police investigation that began in early December to secure evidence related to the massive data breach. The police raids coincided with Coupang chief executive Park Dae-jun announcing his resignation after taking responsibility for the data breach.

 

The incident was allegedly perpetrated by a former Coupang employee, a 43-year-old Chinese national, involved in the company’s authentication system. The attacker reportedly exploited flaws in the authentication management system to gain access to customer data and sent an email threatening to disclose the data unless security improvements were made.

 

The former employee reportedly access the system in June and the unauthorised access went undetected until they informed the company about the security vulnerabilities. 

 

In January, the e-commerce company agreed to provide ₩1.685 trillion worth of purchase vouchers as compensation to 33.7 million customers whose account details and personal records were compromised. The compromised information included customer names, email addresses, phone numbers, shipping addresses, and order histories. 

 

According to the science ministry, Coupang failed to inform authorities within 24 hours of learning about the security incident and failed to provide web access records for a five-month period in 2024 and application access records from late May to early June of 2025. The ministry has promised to issue a fine on Coupang in due course for the leadership’s regulatory errors.