Executive Summary

Coupang, South Korea’s leading e-commerce platform, has disclosed a data breach affecting 33.7 million customer accounts, representing nearly two-thirds of the country’s population. This incident, the largest e-commerce security breach in South Korean history, exposed customer names, phone numbers, email addresses, delivery addresses, and order histories. Payment card information, banking data, and login credentials were not compromised. The breach was enabled by a former Coupang employee who retained access keys after leaving the company, allowing unauthorized access to customer data via overseas servers for nearly five months. The breach was detected on November 6, 2025, but not fully identified until November 18, 2025. Regulatory investigations, class action lawsuits, and record fines are expected. The incident highlights significant gaps in offboarding, credential management, and data protection practices, particularly regarding the lack of mandatory encryption for non-payment data. All information in this summary is directly sourced from BleepingComputer (https://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/), TechCrunch (https://techcrunch.com/2025/12/01/koreas-coupang-says-data-breach-exposed-nearly-34m-customers-personal-information/), and Korea Herald (https://www.koreaherald.com/article/10638028).

Technical Information

The Coupang breach is a textbook example of an insider threat exploiting deficiencies in offboarding and credential management. The attacker, a former employee, retained access keys to Coupang’s authentication services after their employment ended. These keys were used to access customer data repositories from overseas servers, undetected, for nearly five months. The breach was not the result of malware, ransomware, or external exploitation tools, but rather the abuse of legitimate credentials.

Attack Vector and Methodology

The initial access vector was the use of valid, but improperly revoked, access keys. The attacker’s access persisted due to a failure in the offboarding process, specifically the non-revocation of cloud authentication keys. The attacker accessed customer data stored in information repositories, including names, phone numbers, email addresses, delivery addresses, and order histories. Data was exfiltrated via network connections to overseas servers. There is no evidence of privilege escalation, lateral movement, or malware deployment. The breach relied solely on credential abuse.

Detection and Response

Coupang detected unusual access on November 6, 2025, at 6:38 PM KST, but did not fully identify the breach until November 18, 2025, at 10:52 PM. This 12-day detection gap, combined with the five-month period of undetected access, highlights significant deficiencies in monitoring and incident response processes. Upon full identification, Coupang activated its incident response procedures, blocked the unauthorized access, reported the incident to the Korea Internet & Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency, and notified affected customers.

Data Compromised

The compromised data includes customer names, phone numbers, email addresses, delivery addresses, and order/purchase histories. Payment card information, banking information, and login credentials were not compromised. The lack of legal requirements for encrypting non-payment data in South Korea contributed to the scale and impact of the breach. While the compromised data may seem less critical than payment information, the combination of these data points can enable spear-phishing, re-identification, and even physical threats.

MITRE ATT&CK Mapping

The attack maps directly to the following MITRE ATT&CK techniques:

• T1078: Valid Accounts – Use of valid credentials (access keys) to access systems post-employment (https://attack.mitre.org/techniques/T1078/).

• T1078.004: Cloud Accounts – Persistence via cloud authentication keys not revoked after offboarding (https://attack.mitre.org/techniques/T1078/004/).

• T1213: Data from Information Repositories – Access to customer data stored in databases or cloud storage (https://attack.mitre.org/techniques/T1213/).

• T1041: Exfiltration Over C2 Channel – Data exfiltrated via network connections to overseas servers (https://attack.mitre.org/techniques/T1041/).

Attribution and Threat Actor Profile

The primary suspect is a former Chinese Coupang employee now residing abroad. Law enforcement and company statements confirm this attribution, and there is no evidence linking the breach to known advanced persistent threat (APT) groups or external cybercriminal organizations. The attack pattern is consistent with insider threat activity, not with external e-commerce attack patterns.

Sector-Specific Implications

The breach underscores the unique risks faced by e-commerce platforms, which store large volumes of personal and behavioral data. The lack of mandatory encryption for non-payment data in South Korea increased the impact of the breach. The incident has triggered regulatory scrutiny, class action lawsuits, and is expected to result in record fines under South Korea’s amended data protection laws. The breach also demonstrates the cross-jurisdictional regulatory impact for global e-commerce firms, as evidenced by Coupang’s SEC 8-K filing in the United States.

Evidence Quality and Confidence Assessment

All major claims in this section are corroborated by at least three independent, primary sources: BleepingComputer, TechCrunch, and Korea Herald. The technical details, timeline, and attribution are directly supported by company statements, regulatory filings, and law enforcement reports. Confidence in the attribution and technical analysis is high.

Affected Versions & Timeline

The breach affected all Coupang customer accounts in South Korea, totaling approximately 33.7 million users. There is no evidence that customer data from Coupang Taiwan or Rocket Now (the food delivery service in Japan) was affected.

The verified timeline is as follows: Unauthorized access began on June 24, 2025, via overseas servers. Coupang detected unusual access on November 6, 2025, at 6:38 PM KST. The last date of unauthorized access was November 8, 2025. The breach was fully identified on November 18, 2025, at 10:52 PM, at which point incident response procedures were initiated and authorities were notified. Coupang publicly confirmed the breach on November 29, 2025. TechCrunch reported on the breach and its scope on December 1, 2025. The Korea Herald confirmed the SEC 8-K filing and ongoing regulatory investigations on December 17, 2025.

Threat Activity

The threat activity in this incident was characterized by insider abuse of legitimate credentials. The attacker, a former employee, used retained access keys to access customer data repositories from overseas servers. The activity went undetected for nearly five months, from June 24 to November 8, 2025. The attacker accessed and likely exfiltrated customer names, phone numbers, email addresses, delivery addresses, and order histories. There is no evidence of malware, ransomware, privilege escalation, lateral movement, or external exploitation tools. The breach was not the result of an external cyberattack, but rather a failure in offboarding and credential management processes.

The primary suspect is a former Chinese Coupang employee now residing abroad. Law enforcement and company statements confirm this attribution. There is no evidence linking the breach to known APT groups or external cybercriminal organizations. The attack pattern is consistent with insider threat activity, not with external e-commerce attack patterns.

The incident has triggered regulatory scrutiny, class action lawsuits, and is expected to result in record fines under South Korea’s amended data protection laws. The breach also demonstrates the cross-jurisdictional regulatory impact for global e-commerce firms, as evidenced by Coupang’s SEC 8-K filing in the United States.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediately review and strengthen offboarding procedures to ensure that all access keys, credentials, and authentication tokens are revoked upon employee departure. Implement automated processes for credential revocation and access review.

Critical: Enhance monitoring and alerting for unusual access patterns, especially from overseas IP addresses and for privileged accounts. Deploy behavioral analytics to detect insider threats and credential abuse.

High: Encrypt all customer data at rest and in transit, including data not currently required to be encrypted by law (such as names, addresses, phone numbers, and order histories). This reduces the impact of future breaches and aligns with best practices for data protection.

High: Conduct regular audits of access controls, authentication mechanisms, and privileged account usage. Ensure that all access to sensitive data is logged and monitored.

Medium: Provide ongoing security awareness training for all employees, with a focus on insider threat detection and reporting.

Medium: Review and update incident response plans to ensure rapid detection, containment, and notification of data breaches. Conduct regular tabletop exercises to test response capabilities.

Low: Engage with legal and regulatory experts to ensure compliance with evolving data protection laws and to prepare for potential regulatory investigations and litigation.

References

https://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/

https://techcrunch.com/2025/12/01/koreas-coupang-says-data-breach-exposed-nearly-34m-customers-personal-information/

https://www.koreaherald.com/article/10638028

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with vendors, partners, and internal processes. Our platform enables continuous monitoring of credential management, offboarding procedures, and data protection controls, supporting organizations in reducing the risk of insider threats and ensuring compliance with data protection regulations. For questions or further information, please contact us at ops@rescana.com.