South Korean officials blamed a massive data leak last year at Coupang on management failure, rather than a sophisticated cyberattack, and urged the e-commerce giant to fix vulnerabilities in its security systems.
Announcing the first findings of a government-led probe, the Science Ministry said on Tuesday, February 10, 2026, a former Coupang engineer, who was aware of flaws in the authentication process, broke into the system in April 2025, a breach that lasted until November.
The same person had attempted to gain access in January, it said.
Coupang Korea, operated by U.S.-listed Coupang Inc., faced a public and lawmaker backlash over the data breach.
"It's more of a management problem than an advanced attack," Choi Woo-hyuk, deputy minister for cyber security and network policy, told a press conference, citing lax oversight of authentication systems.
The ministry said the leak exposed personal data of about 33.7 million customers, and that a delivery-address list page, containing names and phone numbers, was viewed around 150 million times.
"The attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorized information leaks," the ministry said.
It also called on the police to investigate Coupang for trying to "restrict" the investigation by deleting some data, accusing the company of defying a government order to preserve data.
The company has previously said that the leak involved contact details, but that no payment details or login information were compromised.
It also said users had been notified as per government guidance.
'Coupang Needs Tighter Security'
The ministry accused the former employee, who left the firm in November 2024, of stealing an internal security key, known as a signing key, which it said was used to generate fake login tokens and gain unauthorized access to customer accounts.
It said the staff member had designed and developed parts of Coupang's user authentication system, and the company had failed to invalidate the developer's signing key after the person left the company, which it said was not an adequate security system.
"Coupang needs to introduce a detection and blocking system for electronic access cards that do not go through the normal issuance process," the ministry said.
The ministry added that it could not comment on whether more than one person was involved in the breach and needed to wait for the results after a police investigation.
Arrest warrant issued against ex-employee:
South Korean Justice Minister Jung Sung-ho informed in January that an arrest warrant had been issued in December for a Chinese national who had previously worked at Coupang.
The police investigation is ongoing, and the personal data watchdog is also investigating the incident.
Coupang also faced a tax audit in South Korea and a legal complaint filed by the country's parliament against its founder and former executives after they failed to show up for parliamentary hearings last year.
Furthermore, the ministry accused Coupang of violating the information-network law by failing to report the breach within the required 24-hour period and it planned to impose an administrative fine of up to 30 million won ($20,596) under the law.
As per the ministry, the Coupang data breach was first reported by the company itself to its chief information security officer on November 17, 2026, and was later reported to authorities on November 19, 2026. Since then, the investigations have been going on.
The company also acknowledged the loss of more than 33 million users and tried to compensate them with different offers.
“As the founder and chair of Coupang’s board, I sincerely apologize on behalf of all employees,” Kim said in a statement over the incident, in which about 33.7 million customers' information was allegedly leaked.
He acknowledged that many customers were left feeling uneasy about the security of their personal information and admitted that Coupang failed to communicate clearly in the early stages of the incident.
“I deeply regret the inadequate initial response and lack of communication,” he said, adding that his apology came too late.
Kim said Coupang has worked with the government over the past month to recover all leaked customer information and prevent further harm, while also pledging sweeping reforms.
“Looking back, it was a mistake not to express my apology and deep regret from the very beginning,” Kim said.
“We will rebuild trust from the ground up and fundamentally overhaul our data security measures to ensure this never happens again," he added.