Design Highlights
- Coupang’s significant data breach raised concerns about cybersecurity, potentially straining U.S.-South Korea relations.
- The breach exposed over 33 million customer records, leading to a major trust deficit.
- South Korean officials criticized Coupang for inadequate management and failure to report breaches promptly.
- The incident’s fallout includes a sharp decline in Coupang’s stock value and CEO resignation.
- Regulatory investigations may further impact Coupang’s international partnerships and operations.
In a staggering breach that has left many shaking their heads, Coupang, South Korea’s e-commerce giant, found itself in hot water after a former engineer decided to exploit some serious security flaws. The drama kicked off in January 2025, but it was between April 14 and November 8 of that year when the real chaos erupted. The engineer, taking advantage of authentication vulnerabilities, accessed sensitive pages like the ‘My Information Modification’ page. The result? A jaw-dropping 33,673,817 names and email addresses leaked. Talk about a digital dumpster fire.
But wait, it gets worse. The engineer also accessed the ‘Delivery Address List’ page over 140 million times, pulling names, phone numbers, addresses, and even shared entrance passwords. Over 100,000 times, they peeked at the ‘Order List’ page, rifling through sensitive purchase details. It’s a horror show of data leaks—33.7 million customer records exposed, plus an extra 165,000 users’ data confirmed leaked months later. Seriously, how does that even happen?
The method behind this madness wasn’t some high-tech cyber attack. Nope. This was a classic case of internal flaws—lax oversight of authentication systems and a former employee fully aware of the weaknesses. It’s like leaving your front door wide open and then acting shocked when someone walks in.
The South Korean Science Ministry didn’t hold back, calling out management failures and citing Coupang for violating their 24-hour breach reporting requirement. They even accused the company of potential obstruction of the probe by deleting data to cover their tracks. Sounds shady, right?
Coupang, of course, disputed these findings. They claimed only 2,609 to 3,000 accounts were affected. But forensic evidence showed data had been deleted. And while they insisted no payment or login information was compromised, the damage was already done. Shares plummeted over 13%, and the fallout strained relations with the U.S. All this for what? A few weak authentication protocols? Moreover, the government findings indicated that no evidence of secondary damage from the data breach was identified, highlighting the severity of the situation.
As the regulatory storm brews, Coupang faces fines and investigations. They’ve got a $1.2 billion compensation plan on the table, a CEO resignation, and a market value loss that’s hard to wrap your head around—$8 billion gone. Much like how policy renewal becomes a critical moment for premium adjustments after major incidents, Coupang now faces a reckoning period where its entire security framework must be rebuilt from the ground up.
Meanwhile, two-thirds of South Korea’s population got caught in this mess. It’s a classic case of “if you think this can’t get worse, hold my beer.”
