How IAM Failures Enabled the Coupang Data Breach: Lessons for Enterprises

How IAM Failures Enabled the Coupang Data Breach: Lessons for Enterprises

Alex Cipher's Profile Pictire Alex Cipher 8 min read

A single overlooked account can unravel the security fabric of even the largest tech giants. Coupang, South Korea’s e-commerce powerhouse, learned this the hard way when a former employee’s lingering system access led to a breach impacting 33.7 million customers. The attacker, a 43-year-old ex-employee, quietly retained privileged access months after leaving the company, slipping past dormant monitoring systems and exposing a trove of sensitive customer data (BleepingComputer).

This incident isn’t just a cautionary tale for HR and IT departments—it’s a wake-up call for anyone responsible for digital trust. The breach, which went undetected for nearly five months, highlights how gaps in Identity and Access Management (IAM) can have ripple effects far beyond the initial compromise. From a surge in phishing scams to executive resignations, Coupang’s experience underscores the urgent need for automated deprovisioning, real-time monitoring, and a culture that treats IAM as a shared responsibility. As organizations increasingly rely on cloud, AI, and interconnected systems, the stakes for getting IAM right have never been higher (BleepingComputer).

How Identity and Access Management (IAM) Failures Opened the Door: Lessons from the Coupang Breach

Persistent System Access After Employment Termination

A critical IAM failure at Coupang was the inability to revoke system access for a former employee, which directly facilitated the breach. According to reports, the primary suspect—a 43-year-old former employee—retained access to Coupang’s internal authentication management system even after his departure in 2024 (BleepingComputer). This oversight allowed the ex-employee to access sensitive customer data months after leaving the company. The breach, which occurred on June 24, 2025, was not discovered until November 18, 2025, highlighting a significant lag in detection and response.

IAM best practices dictate that user accounts, especially those with privileged access, must be deactivated or removed immediately upon termination of employment. Coupang’s failure to enforce this control enabled unauthorized access to persist, exposing the data of 33.7 million customers. This incident underscores the necessity for automated deprovisioning processes and regular audits of user accounts to ensure that only current employees retain access to critical systems.

Inadequate Monitoring and Logging of Privileged Activities

The breach also exposed deficiencies in Coupang’s monitoring and logging mechanisms. The ex-employee’s unauthorized activities went undetected for nearly five months, suggesting that either logs were not being reviewed in a timely manner, or that alerting mechanisms for anomalous access were insufficient (BleepingComputer). Effective IAM programs require continuous monitoring of privileged accounts, with real-time alerts for unusual behavior such as access from unexpected locations, off-hours activity, or attempts to extract large volumes of data.

In this case, the lack of timely detection allowed the attacker to operate with impunity, ultimately leading to the compromise of names, email addresses, physical addresses, and order information for tens of millions of customers. The failure to correlate access logs with employment status changes further exacerbated the situation, as the ex-employee’s continued access should have triggered immediate investigation.

Segregation of Duties and Least Privilege Violations

Another IAM weakness evident in the Coupang breach was the apparent violation of the principles of segregation of duties and least privilege. The former employee was reportedly assigned to an authentication management system, a highly sensitive role that should have been tightly controlled and monitored (BleepingComputer). IAM frameworks recommend restricting access rights to the minimum necessary for users to perform their job functions and separating critical duties among multiple individuals to reduce the risk of insider threats.

At Coupang, the ex-employee’s access to authentication systems suggests that he may have had broad privileges, enabling him to bypass controls or cover his tracks. The breach highlights the importance of regularly reviewing and adjusting access rights, especially for high-risk roles, and implementing dual-control mechanisms for sensitive operations.

Delayed Detection and Incident Response Failures

The timeline of the breach—occurring in June 2025 but not discovered until November 2025—demonstrates a breakdown in both IAM and incident response processes. Prompt detection of unauthorized access is a cornerstone of effective IAM, relying on integration with security information and event management (SIEM) systems and automated incident response workflows. Coupang’s delayed discovery allowed the attacker to maintain access for an extended period, increasing the scale and impact of the breach (BleepingComputer).

This delay also hindered Coupang’s ability to contain the incident and notify affected customers in a timely manner. The company only announced the breach on December 1, 2025, more than five months after the initial compromise. Such delays can have severe legal, regulatory, and reputational consequences, particularly in jurisdictions with strict data breach notification requirements.

IAM Governance and Accountability Gaps

The breach at Coupang revealed broader governance and accountability issues within the company’s IAM program. The police investigation, which included the seizure of internal documents, logs, and system records, aimed to determine whether negligence or legal violations contributed to the incident (BleepingComputer). Effective IAM governance requires clear assignment of responsibilities for access management, regular audits, and enforcement of security policies.

In Coupang’s case, the lack of clear accountability for IAM processes may have contributed to lapses in access revocation, monitoring, and response. The resignation of the company’s CEO, Park Dae-Jun, following the breach, further underscores the organizational impact of IAM failures and the need for executive oversight of cybersecurity practices.

Post-Breach Phishing Surge and the Ripple Effect of IAM Lapses

In the aftermath of the breach, South Korea experienced a surge in phishing activity, with hundreds of reports of Coupang impersonation and an estimated two-thirds of the population affected by related scams (BleepingComputer). This secondary wave of attacks illustrates how IAM failures can have cascading effects beyond the initial compromise, exposing customers to ongoing risks.

The stolen data, while not reportedly leaked online, provided attackers with enough information to craft convincing phishing messages, exploiting the trust customers placed in Coupang. This outcome highlights the importance of robust IAM controls not only for protecting corporate assets but also for safeguarding customer trust and mitigating downstream threats.

Lessons for IAM Programs in Large Enterprises

The Coupang breach offers several key lessons for organizations seeking to strengthen their IAM programs:

  • Automate Deprovisioning: Ensure that access revocation is immediate and automated upon employee termination, especially for privileged accounts.
  • Continuous Monitoring: Implement real-time monitoring and alerting for all privileged account activities, with regular reviews of access logs.
  • Principle of Least Privilege: Restrict access rights to the minimum necessary and enforce segregation of duties for sensitive roles.
  • Integrated Incident Response: Align IAM processes with incident response plans to enable rapid detection, containment, and notification of breaches.
  • Executive Oversight: Establish clear governance structures and assign accountability for IAM processes at the highest organizational levels.

By addressing these areas, organizations can reduce the risk of insider threats and limit the potential damage from IAM failures, as starkly demonstrated by the Coupang incident.

The Coupang breach has prompted scrutiny from regulatory authorities and law enforcement, with the potential for legal consequences if negligence is found (BleepingComputer). Data protection regulations in South Korea and globally require organizations to implement adequate safeguards for personal information, including effective IAM controls.

Failure to comply with these requirements can result in significant fines, litigation, and loss of business. The investigation into Coupang’s practices serves as a cautionary tale for other enterprises, emphasizing the need for proactive compliance and regular assessments of IAM effectiveness to avoid similar outcomes.

The Role of IAM in Preventing Large-Scale Data Breaches

The scale of the Coupang breach—impacting 33.7 million customers—demonstrates how a single IAM failure can have far-reaching consequences. IAM is a foundational element of cybersecurity, serving as the gatekeeper for access to sensitive data and systems. When IAM processes break down, the entire security posture of an organization is compromised.

Organizations must prioritize IAM as a strategic business function, investing in modern solutions that support automation, analytics, and integration with broader security frameworks. Regular training, awareness programs, and testing of IAM controls are essential to ensure resilience against both internal and external threats.

Organizational Culture and IAM Maturity

Finally, the Coupang incident highlights the importance of fostering a security-conscious organizational culture that values IAM as a shared responsibility. Employees at all levels must understand the critical role of access management in protecting customer data and the organization’s reputation. Regular communication, training, and leadership engagement are vital for building an IAM program that can adapt to evolving threats and business needs.

By learning from Coupang’s experience, organizations can strengthen their IAM practices, reduce the risk of insider threats, and better protect the sensitive information entrusted to them by customers and partners.

Final Thoughts

The Coupang breach is a stark reminder that cybersecurity isn’t just about firewalls and encryption—it’s about people, processes, and vigilance. When a single ex-employee can quietly walk out the digital door with the keys to the kingdom, it’s clear that IAM failures can have consequences that echo across an entire nation. Automated access revocation, continuous monitoring, and a culture of accountability aren’t just best practices—they’re business imperatives (BleepingComputer).

As phishing scams surge and regulatory scrutiny intensifies, organizations must treat IAM as a living, evolving discipline. Investing in robust IAM frameworks, leveraging AI for anomaly detection, and fostering a security-first mindset at every level can help prevent the next headline-grabbing breach. Coupang’s story is a lesson for enterprises everywhere: the cost of IAM complacency is simply too high.

References

Related Articles