Data Sovereignty and the Identity Crisis: A Deep Dive into the Coupang Breach

PART ONE

Lessons Learned from the Coupang Data Breach: Architectural Governance and the Erosion of Trust in the “Amazon of Korea”

By Dr. Ir. Charles Lim, Msc., Bsc., CSAP, Security+, CySA+, ECDE, CND, CCSE, CTIA, CHFI, EDRP, ECSA, ECSP, ECIH, CEH, CEI

Deputy Head of Master IT Program
Head of Cybersecurity Research Centre of Excellence
Head of Security Operations Center
Swiss German University

 

1. Introduction: When Domestic Infrastructure Fails

In late 2025, South Korea’s dominant e-commerce platform Coupang disclosed one of the largest data breaches in the nation’s history. The personal information of approximately 33.7 million users—nearly two-thirds of the Korean population—was compromised [1], [3]. The scale alone makes the incident historic, but its deeper significance lies elsewhere: this was not a novel cyberattack, nor an advanced external intrusion. It was a governance failure.

Coupang’s societal position magnifies the impact. Often labeled the “Amazon of Korea,” Coupang is not merely a retailer—it is digital infrastructure. Founded by Bom Kim, who transformed the company from a Groupon-style experiment into a vertically integrated logistics powerhouse, Coupang reshaped consumer behavior through Rocket Delivery and Dawn Delivery, achieving fulfilment proximity such that 70% of Koreans live within seven miles of a Coupang logistics hub [10].

This dominance produced an unprecedented concentration of high-fidelity consumer data. When that data was exposed, the breach revealed a fundamental truth: legacy perimeter security and checklist-driven compliance are structurally incapable of defending identity-centric platforms at national scale.

2. Lesson One: The Invisible Attacker and the Cost of Dwell Time

The most damning metric in the Coupang breach is not the data volume—it is time.

Unauthorized access began on June 24, 2025, originating from overseas servers. The activity remained undetected for 147 days, until November 16, 2025 [1], [3]. In modern security operations, where Mean Time to Detect (MTTD) is measured in hours, a five-month dwell time constitutes systemic blindness.

The reason is instructive. The attacker did not bypass authentication controls; they used valid cryptographic signing keys. To Coupang’s monitoring infrastructure, every request appeared legitimate. Server logs faithfully recorded activity—but logged it as authorized [1].

This exposes a hard reality of contemporary breaches:
The most dangerous attackers no longer break in—they blend in.

Perimeter defenses and static logs are designed to answer “Did a valid credential exist?” They cannot answer “Should this identity be behaving this way, from this location, at this scale?”

3. Lesson Two: The Myth of “Low-Risk” Personal Data

In its initial disclosures, Coupang emphasized that no passwords or payment card numbers were leaked [1], [2]. This framing reflects an outdated hierarchy of data sensitivity.

In modern threat economics, contextual PII is more valuable than credentials.

Leaked datasets included:

• • Full names, phone numbers, and email addresses
  • Granular shipping addresses
  • Apartment entrance codes
  • Detailed order histories

This combination enables precision social engineering. Phishing messages referencing specific order numbers or delivery delays demonstrate click-through rates up to seven times higher than generic campaigns [6].

More critically, in the Korean context, apartment entrance codes represent a rare convergence of cyber and physical risk. Dawn Delivery requires drivers to access residential buildings before sunrise. Once compromised, attackers gain the ability to translate digital access into real-world intrusion [10].

The breach dismantles the notion that “non-financial data” is benign. Behavioral data is predictive, actionable, and exploitable at scale.

4. Lesson Three: Identity Lifecycle Failure and the “Master Stamp”

At the heart of the incident lies a single procedural breakdown.

A developer hired in 2022 to work on authentication systems left South Korea in July 2024 and was terminated in December 2024. Yet his cryptographic signing keys remained valid [2], [10].

To understand the severity, consider the Master Stamp analogy:

• • A login token is a temporary access card
  • A signing key is the stamp that issues those cards

By retaining the stamp, the former employee could mint unlimited valid credentials—bypassing login flows, MFA triggers, and alerting mechanisms [3].

Even more troubling, Coupang admitted that signing keys were configured with 5–10 year validity periods [2]. This is not an oversight; it is architectural negligence. The National Assembly’s Science Committee classified the failure as “organizational and structural”, not individual error [2].

5. Lesson Four: Why Logs Record History, Not Truth

Coupang’s internal investigation revealed that traditional server logs provided no early warning. This was expected. Logs are deterministic records of events, not validators of authenticity.

When a key is valid, the log marks the action as authorized—even if the identity using it is no longer legitimate [1].

This incident exposes the need for a new control layer: verification of provenance, not merely authentication status. Systems must answer not only “Was a valid key presented?” but “Is this the expected identity, device, behavior, and jurisdiction?”

Logs tell you what happened. Provenance tells you whether it should have happened.

6. Lesson Five: Certification Without Security

Despite holding ISMS-P, ISO 27001, and Global CBPR certifications, Coupang has suffered four major data breaches since 2021 [4], [5]. The contradiction highlights the danger of paper compliance—audit frameworks that emphasize documentation over live controls.

Public accountability was equally flawed. Coupang announced a 1.69 trillion won compensation package, offering users 50,000 won each. Yet the compensation was delivered primarily as vouchers for Coupang’s own premium services, forcing users to spend additional money to extract value [3], [10]. Consumer groups widely criticized the move as reputational damage control rather than restitution.

A final irony deepened public backlash: Coupang had already implemented biometric passkeys for its Taiwan expansion in 2022—but failed to deploy them domestically [3], [10]. The Korean market was left exposed to a key-based exploit that stronger identity controls had already solved elsewhere.

7. Part One Conclusion: The End of Static Defense

The Coupang breach marks the collapse of static, perimeter-centric security. An unrevoked identity, operating quietly across borders, bypassed certifications, audits, and logs for nearly half a year.

Security, in this case, was treated as a regulatory obligation rather than a foundational architectural principle. In Part Two, we examine how this failure can be transformed into a strategy—one grounded in jurisdictional enforcement, cryptographic provenance, and verifiable identity.

References

[1] Sequenxa, 5 Lessons from the Coupang Leak & How to Stay Protected, Dec. 7, 2025.
[2] 이지현 and CSO Staff, Coupang breach of 33.7 million accounts allegedly involved engineer insider, CSO Online, Dec. 4, 2025.
[3] N. Kyung-min, Coupang data breach in 2 minutes, The Korea Herald, Jan. 25, 2026.
[4] L. Seung-hwan, Coupang’s “top security” certification proves hollow amid major data leaks, Maeil Business, Dec. 1, 2025.
[5] Coupang, Information Security / Privacy Certification Acquired, 2025.
[6] M. Sang-hyeok, Over 30 million accounts affected in Coupang data breach, Korea JoongAng Daily, Jan. 26, 2026.
[10] Asian Boss, Why the U.S. Just Announced New Tariffs on South Korea, Nov. 30, 2025.