The Ministry of Science and ICT (MSIT, Deputy Prime Minister and Minister: Bae Kyung-hoon) announced on Tuesday, February 10, the findings of a joint public-private investigation team into the Coupang data breach.

The investigation team analyzed the causes of the data breach in accordance with Article 48-4 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (the “Information and Communications Network Act”) and prepared preventive measures to prevent similar incidents in the future.

Meanwhile, the Personal Information Protection Commission (PIPC) is currently investigating the scale of the personal data leak and potential violation of the Personal Information Protection Act. The Korean National Police Agency (KNPA) is also conducting an investigation, including the analysis of evidence related to the breach. MSIT added that other relevant ministries are reviewing issues within their respective jurisdictions.

Ⅰ. Overview of the Coupang Data Breach

On November 16, 2025, Coupang received a customer report via its Voice of Customer (VOC) channel regarding a suspicious email related to a personal data leak.

Following an internal investigation, Coupang reported the incident to the Korean Internet & Security Agency (KISA, President: Lee Sang-jung), stating that it became aware of the breach on November 17, 2025 and had identified the exposure of personal information (customer names, emails, and addresses) from 4,536 accounts.

※ Under the Information and Communications Network Act, companies are required to report a breach within 24 hours of becoming aware of the incident. Failure to comply may result in a fine of up to 30 million won.

However, during its on-site inspection, KISA determined that the actual scale of the breach was significantly larger than initially reported. Rather than approximately 4,500 accounts, the breach affected more than 30 million accounts.

MSIT regarded the incident as the largest personal data breach involving a domestic e-commerce platform and as a serious case in which the large-scale personal data was exposed. Accordingly, on November 30, 2025, MSIT established a joint public-private investigation team to examine the damage and determine its causes in accordance with applicable laws and principles.

Ⅱ. Investigation Scope

The investigation team thoroughly analyzed Coupang’s user authentication system exploited by the attacker. The investigation team also conducted a comprehensive analysis of relevant materials, including web and application access logs, to determine the scope of the attack and the scale of the data breach.

In parallel, the investigation team performed digital forensic analysis of the attacker's PC storage devices (two HDDs and two SSDs) submitted by Coupang, as well as the laptops used by current Coupang developers.

In addition, the investigation team examined the company-wide information security management system, including whether Coupang complied with guidelines on information protection measures and the Information Security Management System–Personal Information (ISMS-P) standards as required under the Information and Communications Network Act, as well as with Coupang’s internal policies.

Ⅲ. Scale of the Data Breach 

The attacker sent emails twice to Coupang on November 16 and November 25, 2025, claiming that personal data had been leaked. The emails included samples of the leaked data.

To verify the attacker’s claims, the investigation team analyzed Coupang’s web access logs.

As a result, the team confirmed that the attacker had stolen the following information: names and email addresses from the “Edit My Information” page; names, phone numbers, addresses, and building entrance access codes from the delivery address list page; and information on products ordered by users from the order history page. The attacker subsequently included some of this data in emails sent to Coupang.

※ Definition of personal data leak: Under the Standard Guidelines for Personal Information Protection, a personal data leak refers to a situation in which personal data leaves the management or control of the relevant personal information controller and becomes accessible to a third party.

Analysis of the Coupang web and application access logs confirmed that Coupang user information was exposed from the Edit My Information, delivery address list, and order history pages.

From the Edit My Information page, 33,673,817 user records including names and email addresses were found to have been leaked.

It was also identified that the delivery address list page, which contains names, phone numbers, addresses, and building entrance access codes masked with special characters, was accessed 148,056,502 times*. In addition to the account holder’s information, the delivery address list page contains information on third parties such as family members and friends, including their names, phone numbers, and delivery addresses.

* Refers to the number of accesses to the delivery address list page containing the above-mentioned information.

It was identified that the delivery address edit page, which contains names, phone numbers, delivery addresses, and building entrance access codes, was accessed 50,474 times.

In addition, the order history page, which contains information on products recently ordered by users, was accessed 102,682 times.

The investigation team estimated the scale of the data breach based on the web and application access logs. The final determination of the scope of personal data leak will be made and announced by PIPC. 

 

Based on its analysis of the data breach pathway, the investigation team confirmed that the attacker exploited vulnerabilities in Coupang server’s authentication mechanism, gained abnormal access to user accounts without following the normal login process, and leaked personal data.

Normally, when a user logs in with ID and password, and is then issued a type of “electronic access badge,” Coupang’s gateway server verifies the validity of the issued badge and grants access to the service only if the badge is authenticated.

The attacker unlawfully obtained the signing key for the user authentication system, which the attacker had managed while employed at Coupang. After leaving the company, the attacker used the signing key to forge electronic access badges and thereby bypass Coupang's authentication system. As a result, the attacker was able to access Coupang’s services without undergoing the standard login process.

① Identification of System Vulnerabilities (before Jan., 2025)

While employed at Coupang, the attacker was involved in the design and development of the user authentication system. In the course of performing these duties, the attacker became aware of vulnerabilities within the authentication system and the key management system.

※ (Grounds for Assessment) Access logs indicate that between January 5 and January 20, 2025, the attacker conducted test attempts against the system. Based on these records, the investigation team determined that the vulnerabilities had been identified prior to January 2025.

Coupang’s gateway server is designed to grant access only to users who have been issued valid electronic access badges through the normal authentication process. Accordingly, verification process should be in place to ensure that such badges have not been forged or tampered with. However, the investigation confirmed that no separate verification procedure exists.

In addition, the signing key requires strict and systematic management as it is used to issue electronic access badges. When an employee responsible for the authentication system leaves the company, appropriate measures should be taken to invalidate the relevant signing key. The investigation found that related key management procedures were insufficient at the time.

② Test Attacks Exploiting System Vulnerabilities (After Jan., 2025)

After leaving the company, the attacker used the signing key obtained while employed at Coupang, along with inside information, to forge electronic access badges. Using these forged badges, the attacker bypassed Coupang’s authentication system without undergoing the normal login process and conducted preliminary test attempts in preparation for the main attack.

‣ A forensic examination of laptops used by current developers confirmed that the signing key, which was required to be stored exclusively within the key management system, had also been stored locally on developer laptops (via hardcoding). ‣ A forensic analysis of the attacker’s PC storage devices (two HDDs and two SSDs) identified Coupang user unique identification numbers and forged electronic access badges. ‣ Evidence of test attacks around January 2025 was identified prior to the main attack period, which occurred from April 14 to November 8, 2025.

③ Large-Scale Data Breach (April 14 – November 8, 2025)

After confirming through preliminary test attempts that unauthorized access to user accounts was feasible, the attacker proceeded to carry out a large-scale data breach using an automated web crawling tool. During this period, the attacker used a total of 2,313 IP addresses.

			<Findings by the Investigation Team>
		‣ A forensic examination of the attacker’s PC storage devices (two HDDs and two SSDs) confirmed that the attacker had developed an attack script capable of collecting personal data and transmitting it to external servers. - The investigation team further identified functionality capable of transmitting data obtained through unauthorized access to other users’ accounts (including order information) to overseas cloud servers using forged electronic access badges. ※ However, it could not be determined whether any actual data transmission to overseas cloud servers occurred, as no relevant records remained.

Ⅴ. Identified Issues and Preventive Measures

Through the investigation, the investigation team identified deficiencies in Coupang’s information security system and established corresponding measures to prevent recurrence.

The investigation team confirmed that the attacker gained unauthorized access to Coupang's services by using forged electronic access badges. It was further determined that no verification mechanism had been implemented to confirm whether issued electronic access badges had undergone the normal authentication process.

In addition, although Coupang conducted simulated cyberattacks to identify and address vulnerabilities within its electronic badge-based authentication system, corrective measures were pursued only with respect to individually identified issues. However, a comprehensive review of overall system vulnerabilities, including the need to enhance the gateway server's user authentication system, was not carried out.

⇒ (Preventive Measure) Coupang is required to implement a detection and blocking mechanism for electronic access badges that have not been issued through the normal authentication process. Furthermore, vulnerabilities identified through simulated cyberattacks must be addressed through fundamental improvements.

Coupang’s internal policies stipulate that signing keys must be stored exclusively within the key management system and must not be stored on developers’ PCs (hardcoding in source code). However, the investigation team identified that current Coupang developers had stored a signing key on laptops, thereby creating a risk of key leakage and misuse.

In addition, although Coupang’s policies require the recording and management of signing key issuance history to ensure systematic control, the investigation team confirmed that no adequate key history management system was in place. As a result, it was not possible to determine whether signing keys had been used strictly for their intended purposes.

Furthermore, Coupang lacked a response system to address threats arising from insiders (or former employees), through which critical information such as signing keys could be misappropriated.

Upon reviewing Coupang’s compliance with the ISMS-P standards, the investigation team also identified that development and production environments were not adequately segregated. Developers had been granted access to the key management system in the production server. Moreover, while Coupang’s internal policies defined a key validity period (three-year cycle), detailed operational procedures such as key replacement triggered by changes in user information had not been sufficiently established.

⇒ (Preventive Measure) Coupang is required to strengthen its key management and control system, including proper management of key issuance and usage history; clarify operational management standards; and conduct continuous monitoring.

During the incident, the same server user identification number* was repeatedly used, and abnormal access was made using forged electronic access badges. Nevertheless, Coupang failed to detect and block the unauthorized data access conducted through such attack.

*A random string value assigned to each session by a web server to distinguish multiple web page requestors.

In addition, access logs were stored and managed without consistent standards, which caused difficulties in identifying affected users and assessing the scale of the information disclosure.

※Coupang stored and managed the server user identification number and the user’s unique identification number only on the Edit My Information page. Such information was not stored or managed on other pages, including the delivery address list and order history pages.

⇒ (Preventive Measure) Coupang is required to strengthen monitoring for the detection of abnormal access and to establish and refine log storage and management policies aligned with the purposes of incident analysis and impact assessment. In addition, the company must conduct regular inspections to ensure compliance with its internal security policies and establish a management system that enables immediate corrective action in cases of non-compliance.

① Delayed Report

Pursuant to Article 48-3 of the Information and Communications Network Act, Coupang was required to report the breach to MSIT or KISA within 24 hours of becoming aware of the incident. However, although the incident was reported internally to the CISO at 16:00 on November 17, 2025, the company did not report it to KISA until 21:35 on November 19, 2025, thereby exceeding the statutory 24-hour reporting deadline.

※ (Incident recognition time) “Becoming aware of the incident” refers to the point at which a person responsible for information security, the head of the relevant department, the CISO, or the company’s representative becomes aware of the occurrence of a security incident as defined under Article 2 of the Information and Communications Network Act (Guidelines on Responding to Information and Communications Security Incidents, August 2025).

⇒ (Administrative Measure) A fine shall be imposed in accordance with the Information and Communications Network Act.

※ Under Article 76 of the Act, failure to comply with the reporting obligation is subject to a fine of up to 30 million won.

② Violation of Data Preservation Order

In order to analyze the causes of the incident, MSIT ordered Coupang to preserve data at 22:34 on November 19, 2025 under Article 48-4 of the Information and Communications Network Act.

However, despite the order, Coupang did not adjust its automatic log retention settings. As a result, approximately five months of web access logs (July to November 2024) were deleted. In addition, application access logs covering the period from May 23 to June 2, 2025 were also deleted.

⇒ (Administrative Measure) The case was referred to investigative authorities to investigate the violation of the data preservation order.

※ Deletion of web logs: Referred for investigation on December 31, 2025

Deletion of application logs: Referred for investigation on February 9, 2026

Ⅵ. Next Steps

MSIT will require Coupang to submit an implementation plan for preventive measures by February, 2026. Coupang is expected to implement the measures from March to May, and MSIT will review the implementation in June and July. If the measures are found to be insufficient, MSIT plans to order corrective actions according to Article 48-4 of the Information and Communications Network Act.

For further information, please contact the Public Relations Division (Phone: +82-44-202-4034, E-mail: msitmedia@korea.kr) of the Ministry of Science and ICT.

Please refer to the attached PDF.