December 3, 2025
SEOUL – Fear is mounting over large-scale personal data breaches in Korea, with the latest incident at Coupang exposing information from 33.7 million users. The leak — believed to have been carried out by a former insider — has raised broader questions about how vulnerable major platforms remain despite heavy spending on cybersecurity.
This explainer breaks down what happened, why insider attacks are uniquely hard to prevent, and what experts say needs to change.
The leak affected nearly every Coupang user, exposing names, email addresses, phone numbers, addresses and partial order histories. No payment or credit card information was compromised, according to the company.
But the scale — and the fact that the breach went undetected for nearly five months — triggered strong public concern. Coupang failed to detect unauthorized access between June 24 and Nov. 18.
Coupang CEO Park Dae-jun confirmed during a parliamentary hearing Tuesday that the prime suspect is a former Chinese developer who worked on the company’s authentication systems.
Experts say this case differs sharply from recent attacks on SK Telecom and KT, which were carried out externally.
Kim Yong-dae, ICT endowed chair professor at KAIST’s Graduate School of Information Security, explained that an insider with legitimate system access is far more difficult to detect.
“The suspect already had access privileges and generated a valid token to remotely extract data,” Kim said.
An authentication token is effectively a digital key that grants system access. If a token remains valid even after an employee leaves, it can allow remote entry without needing full login credentials.
In Coupang’s case, weak management of the signing keys used to generate these tokens may have enabled prolonged, undetected access.
“This wasn’t a system failure,” Kim said. “Even in companies with strong safety measures, privilege-management failure can lead to a massive leak.”
Coupang is one of the retail sector’s biggest spenders on IT — but its security spending is relatively small by global standards.
Coupang is set to spend 1.91 trillion won on IT this year, with 89 billion won — or 4.6 percent of the total — allocated to information security. That security budget amounts to just 0.2 percent of the company’s revenue.
By comparison, Amazon is estimated to spend $6–8 billion annually on security, equal to about 1–1.4 percent of its 2023 revenue.
Global research firm Gartner recommends that when companies treat data as a core asset, they should devote roughly 10 percent of their IT budgets to security.
Despite Coupang’s large overall IT spending in absolute terms, experts say the company — like many Korean firms — still lags global leaders when it comes to prioritizing cybersecurity as a strategic investment.
The breach persisted for months because the attacker reportedly used a valid authentication token.
A system should have flagged that a token remained active after an employee’s departure and that large volumes of data were being downloaded through a single token.
But if the token itself was valid, Kim explained, monitoring tools may not have recognized the activity as suspicious.
Experts argue that Korea’s system is too focused on certification-based compliance — companies checking boxes to meet regulatory requirements — rather than enforcing real accountability.
Kim Seung-joo, professor at Korea University’s Graduate School of Information Security, said companies must treat cybersecurity as a “management risk,” not just a technical issue.
“A single leak can destroy brand trust overnight,” Kim said. “That’s why global leaders increase security spending every year.”
He argues Korea must shift toward penalty-based regulation.
“Certification often serves as a ‘free pass’ for companies to claim compliance. What we need are stronger punishments and enforceable responsibility.”
Public pressure is building. The Korea National Council of Consumer Organizations called for strict penalties and compensation measures.
Under Korea’s Personal Information Protection Act, Coupang could face fines up to 3 percent of average annual revenue, together with potential penalties reaching up to 1 trillion won.
President Lee Jae Myung on Tuesday ordered stronger digital privacy protections and plans to raise fines for major failures.