Home > Business > Industry

Coupang criticized over lax spending on security in wake of large-scale hack

Published: 30 Nov. 2025, 19:52 Updated: 30 Nov. 2025, 20:08

The picture shows the Coupang headquarters in southern Seoul on Nov. 30. [NEWS1]

The number of customers affected by a data leak at Coupang, Korea’s largest e-commerce platform, reached 33.7 million, accounting for roughly three out of every four adults in the country.

Having already received penalties for three previous data breaches, Coupang is under fire for its poor management of customer information as well as its control over employee access to customer data.

"Investigators confirmed that the attacker exploited an authentication vulnerability in Coupang’s servers and accessed more than 30 million customer accounts — including names, email addresses, delivery addresses and phone numbers — without logging in," Minister of Science and ICT Bae Kyung-hoon said during an emergency response meeting at the government complex in central Seoul on Sunday. "The government launched a joint public-private task force today to conduct a detailed investigation and prevent further damage, and officials are examining whether Coupang violated any safety obligations related to personal information protection.”

Investigators confirmed that suspicious access to about 33.7 million Coupang customer records occurred from overseas servers, starting June 24 until recently.

Coupang said that it “blocked the access route that a third party used after confirming the unauthorized access,” but customers say they are still wary. Customers are concerned that the impact could be larger than expected because Coupang identified the leak late and initially misstated its scale.

On Nov. 20, Coupang said it “confirmed on Nov. 18 that information from 4,500 customer accounts was exposed without authorization” and reported the incident that day to the Korean National Police Agency, the Korea Internet and Security Agency (KISA) and the Personal Information Protection Commission. But the company corrected the figure to 33.7 million affected accounts after nearly 10 days had passed since the initial announcement.

Coupang said during its third-quarter earnings release that it had 24.7 million active customers with purchase histories in its product commerce division, but the number of exposed customer records exceeded that figure. The scale of the leak also surpassed the country’s largest fine for a personal information violation — the 134.8 billion won ($91.8 million) penalty issued after a leak at SK Telecom exposed 23.24 million customer records.

Coupang CEO Park Dae-jun apologizes at Government Complex Seoul in central Seoul on Nov. 30. [NEWS1]

The issue poses a larger threat than other recent cases because the breach is deemed to have come from within the company — an issue the company had been oblivious to for five months. The company revealed on Nov. 20 that it had found no traces of an external break-in, and Korean media reported that a former employee with Chinese nationality was under investigation in connection with the case.

"I sincerely apologize for causing the public significant inconvenience and concern," Coupang CEO Park Dae-jun said on Sunday. "I cannot comment because it concerns an ongoing investigation. The matter will become clear through the investigation."

Coupang employs about 10,000 office workers. Only IT and systems personnel with designated privileges can access customer information. Coupang said that it strengthened its security structure by separating the positions of chief information security officer and chief privacy officer and assigning both roles to executives, but the structure has apparently been rendered weak in the face of an internal threat.

"We would have assumed that Coupang's data protection was thorough, since the company has been hiring expensive IT personnel," said an industry insider. "But customer data protection is the basic of basics. I'm not sure if they even managed access rights properly."

Experts also pointed to internal oversight as a critical factor.

“If this breach occurred through an employee, it indicates that internal security management did not function adequately," said Park Choon-sik, a professor of cybersecurity at Seoul Women’s University. "Insider-related incidents can produce more significant damage than external attacks.”

Coupang previously received penalties for three other data incidents, all connected to internal errors. In October 2021, an app update error exposed the names and delivery addresses of 14 customers for about an hour beneath the product search bar. From August 2020 to November 2021, the names and phone numbers of about 135,000 Coupang Eats delivery drivers were transmitted to restaurants. In December 2023, the seller management system exposed the personal information of 22,440 customers.

Vehicles are seen at a Coupang logistics center in Seoul on Aug. 6. [YONHAP]

Those three cases led to approximately 1.6 billion won in fines and administrative penalties. Coupang’s annual revenue surpassed 41 trillion won last year and continued to rise sharply, but its investment in information security did not keep pace. KISA said Coupang invested about 89 billion won in cybersecurity this year, which amounts to 4.6 percent of its total IT spending.

The company increased its security budget from 66 billion won last year, but the share of security spending within the company's total IT investment declined over the past four years — from 7.1 percent, or 53.5 billion won in 2022, to 6.9 percent, or 63.9 billion won, in 2023 and 5.6 percent last year.

Coupang’s security spending also fell short in comparison to major tech firms. Last year, security investment accounted for 0.2 percent of Coupang’s revenue overall, below Kakao and SK Telecom at about 0.7 percent and Naver and KT at 0.4 percent.

“Cybersecurity requires consistent investment rather than temporary spending following an incident,” Park said. “Security spending functions as an investment. Coupang needs to increase its cybersecurity budget and reinforce internal security awareness.”

Other academics noted that companies must pair increased spending with concrete internal measures.

“The government can strengthen standards, but companies must implement their own countermeasures to address vulnerabilities,” said Youm Heung-youl, professor of Information Security at Soonchunhyang University. “The investigation needs to identify the exact cause of the problem and establish clear measures to address it."

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KIM KYUNG-MI, NOH YU-RIM [[email protected]]