How a Missed Offboarding Step Led to South Korea’s Largest Data Breach: The Coupang Insider Incident

How a Missed Offboarding Step Led to South Korea’s Largest Data Breach: The Coupang Insider Incident

Alex Cipher's Profile Pictire Alex Cipher 7 min read

A single ex-employee, a missed offboarding step, and months of undetected access—these were the ingredients for one of South Korea’s largest data breaches, impacting 33.7 million Coupang customers. The breach, which began with unauthorized access on June 24, 2025, and went unnoticed until November, wasn’t the work of a shadowy hacker collective but rather a trusted insider who slipped through the cracks of Coupang’s security protocols (BleepingComputer).

Coupang, a tech and retail powerhouse with over 95,000 employees and $30 billion in annual revenue, found itself scrambling to recover not just data, but customer trust. The breach exposed names, emails, addresses, and order histories, prompting a $1.17 billion compensation package—one of the largest ever seen in the region. The story is a stark reminder that even the most advanced companies can be undone by simple lapses in access management, and that the human element remains the wild card in cybersecurity. As the dust settles, Coupang’s experience offers a cautionary tale for organizations everywhere, especially as insider threats and sophisticated attacks continue to rise in the era of AI and hyper-connected systems (BleepingComputer).

How Coupang’s Data Breach Happened: The Inside Story of Access Gone Wrong

Timeline of Events Leading to the Breach

The data breach at Coupang unfolded over several months, beginning with the unauthorized access that occurred on June 24, 2025, but only coming to light in mid-November of the same year (BleepingComputer). This significant delay in detection allowed the perpetrator to maintain access to sensitive customer data for an extended period. The breach was not a result of an external cyberattack but rather stemmed from internal access by a trusted employee, which complicated early detection and response efforts.

Coupang, a major U.S.-based tech and retail company operating in South Korea, employs approximately 95,000 people and has an annual revenue exceeding $30 billion. The breach ultimately exposed the personal information of 33.7 million customers, making it one of the most severe incidents in South Korea’s history. The timeline of the incident is notable for the gap between the initial breach and its discovery, highlighting potential weaknesses in Coupang’s monitoring and incident response protocols.

Insider Threat: The Role of the Former Employee

At the center of the breach was a 43-year-old Chinese national who had been employed in Coupang’s IT department from November 2022 until sometime in 2024 (BleepingComputer). This individual’s position granted them privileged access to critical systems and customer data. After leaving the company, the former employee retained system access, which was leveraged to exfiltrate sensitive information.

The investigation revealed that the suspect accessed data from 33 million accounts and retained detailed information from approximately 3,000 users. The breach was ultimately traced back to this ex-employee, underscoring the risks posed by insiders with lingering access to company systems. Coupang’s subsequent efforts to recover the stolen data included direct contact with the former employee, resulting in the retrieval of desktop computer hard drives containing the compromised information.

Breakdown of Security Controls and Access Management

The breach exposed significant shortcomings in Coupang’s Identity and Access Management (IAM) practices. The former employee’s continued access to critical systems after their departure suggests that offboarding procedures were either insufficient or not properly enforced (BleepingComputer). Proper IAM protocols dictate that access rights should be revoked immediately upon an employee’s exit to prevent unauthorized activity.

The incident also highlighted the importance of monitoring privileged accounts and implementing robust audit trails. The lack of real-time alerts or anomaly detection allowed the unauthorized access to persist for months. External cybersecurity firms, including Mandiant, Palo Alto Networks, and Ernst & Young, were brought in to assist with the investigation, indicating the complexity and scale of the breach. Their involvement points to the need for continuous improvement in internal security controls and third-party validation.

Data Handling and Evidence Recovery Efforts

Following the discovery of the breach, Coupang undertook extensive efforts to recover the compromised data and evidence. Notably, the company managed to retrieve the former employee’s desktop computer hard drives, which contained sensitive customer information (BleepingComputer). Additionally, a MacBook Air laptop belonging to the suspect was found in a river, where it had been discarded in an apparent attempt to destroy evidence.

These recovery efforts were crucial in determining the extent of the breach and confirming that the data had not been further disseminated. According to Coupang, the former employee did not transfer the data to third parties and deleted it from their devices after being contacted by the company. This assertion, while reassuring, underscores the challenges organizations face in verifying the full scope of data exposure following an insider breach.

Impact on Customers and Regulatory Response

The breach had a profound impact on Coupang’s customer base, with 33.7 million individuals affected. Exposed data included names, email addresses, physical addresses, and order information (BleepingComputer). The scale of the incident prompted the South Korean national police to take over the investigation, reflecting its seriousness and the potential for widespread harm.

In response, Coupang announced a compensation package totaling $1.17 billion (1.685 trillion Won), to be distributed gradually starting January 15, 2026. Each affected customer will receive four single-use purchase vouchers totaling 50,000 won (approximately $34), covering various Coupang services such as Rocket Delivery, Coupang Eats, Coupang Travel, and R.LUX products. This compensation initiative aims to restore customer trust and mitigate reputational damage, while also setting a precedent for corporate accountability in the aftermath of large-scale data breaches.

The regulatory response has also included increased scrutiny of Coupang’s data protection practices and broader calls for enhanced cybersecurity standards across the industry. The incident has served as a catalyst for discussions on the need for stricter controls over employee access, more rigorous offboarding procedures, and improved monitoring of privileged accounts to prevent similar breaches in the future.

Lessons Learned and Industry Implications

While this section does not repeat content from previous subtopic reports, it builds upon the unique aspects of the Coupang breach to highlight broader lessons for the industry. The incident underscores the critical importance of robust insider threat detection and response mechanisms. Organizations must ensure that employee access is strictly controlled and promptly revoked upon termination or role changes.

Furthermore, the breach demonstrates the necessity of comprehensive audit trails and real-time monitoring to detect unusual activity by privileged users. The involvement of external cybersecurity experts in the investigation reflects the value of independent assessments in identifying and addressing security gaps. Finally, the scale of the compensation package and the regulatory response signal a shift toward greater accountability and customer protection in the event of data breaches.

The Coupang incident serves as a cautionary tale for organizations worldwide, emphasizing that even the most sophisticated companies are vulnerable to insider threats if proper controls are not in place. As the industry continues to evolve, the lessons learned from this breach will inform future strategies for safeguarding sensitive data and maintaining customer trust.

Note: All information in this report is based on the latest available data as of December 29, 2025, and sourced from BleepingComputer.

Final Thoughts

Coupang’s data breach is more than a headline—it’s a wake-up call for businesses navigating the complex intersection of technology, trust, and human behavior. The incident underscores the critical need for airtight offboarding processes, real-time monitoring of privileged accounts, and a culture that treats cybersecurity as everyone’s responsibility. As AI and IoT expand the attack surface, the lessons from Coupang’s ordeal are clear: robust identity and access management isn’t just best practice—it’s survival (BleepingComputer).

The $1.17 billion compensation package sets a new bar for corporate accountability, signaling to customers and regulators alike that data protection is non-negotiable. For organizations worldwide, the message is simple: don’t wait for a breach to expose your weakest link. Learn from Coupang, invest in proactive security, and remember—sometimes, the biggest threats are already inside the building.

References

Related Articles