A former employee who had worked in Coupang's authentication and access management systems reportedly leaked personal data by using internal access rights from outside the system after leaving the company.
According to internal documents released Monday by Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, Coupang failed to revoke the access keys issued to the former employee, who allegedly used them to authenticate access tokens — digital credentials that allow system access without requiring a separate login.
The breach occurred after the suspect left the company and externally used his access to reach internal systems. Abnormal access from foreign internet protocol addresses took place from June 24 until recently, though only Coupang did not report the activity until Nov. 18, initially saying about 4,500 accounts were affected.
Coupang on Saturday acknowledged a data breach affecting nearly its entire customer base of 33.7 million users, with exposed information including names, phone numbers, email addresses and home addresses.
The incident revealed serious flaws in Coupang’s security management practices, particularly in updating cryptographic signing keys used to validate access tokens after the employee’s departure.
“Although the renewal of signing keys is a fundamental procedure within internal cybersecurity protocols, Coupang failed to follow it,” said Choi. “The prolonged validity of authentication keys highlights an organizational and structural failure in Coupang’s identity management system.”
Coupang stated that key expiration policies vary across the industry, typically ranging from five to 10 years. The company did not disclose the exact duration for which the compromised key remained valid.
Later in the day, Presidential Chief of Staff Kang Hoon-sik also signaled that the government may bolster the nation’s punitive damages framework, which he said is “effectively not functioning” in its current form.
Punitive damages — intended to impose penalty-level compensation on companies for grave negligence or repeated wrongdoing — have long been criticized in Korea for lacking real force.
Kang stressed that when a company is clearly at fault, the punitive damages system “must operate with real effectiveness,” and directed officials to review ways to strengthen it.
“As Korea enters an era in which data is the core of corporate competitiveness due to the rise of artificial intelligence, companies publicly tout strict safeguards while, in reality, leaving back doors wide open,” Kang said.
Following what could be the country’s worst-ever customer data breach, Coupang could be fined as much as 1 trillion won ($680 million) under Korea’s data protection law.
Under the Personal Information Protection Act, violators may be fined up to 3 percent of their average annual revenue over the past three business years, with the calculation excluding revenue unrelated to the violation.
Coupang posted 38.3 trillion won in revenue last year and 36.3 trillion won through the third quarter of this year.
While the final amount may be reduced based on mitigating factors, the penalty is still expected to exceed the previous record of 134.8 billion won, imposed on SK Telecom in a past data breach case.
minmin@heraldcorp.com
