The scale of Coupang's personal information leak has grown to 7,500 times larger than initially announced, prompting the government to investigate the possibility of payment information also being compromised. Although the company continues to stress that "payment information is secure," the government has stated that it is conducting its own investigation, separate from Coupang's explanations, as multiple questions have arisen during the disclosure process. In particular, there are doubts about the credibility of Coupang's statements, as the company admitted it only became aware of the breach in November, despite indications that intrusion attempts had been ongoing since the end of June.

Emergency Meeting of Relevant Ministries Regarding Coupang

(Seoul=Yonhap News) Reporter Han Jongchan = Paik Kun, Deputy Prime Minister and Minister of Science and ICT, is speaking at the emergency meeting of relevant ministries regarding Coupang held at the Government Complex Seoul in Jongno-gu, Seoul on October 30. Attendees included Yoo Jaesung, Acting Commissioner of the National Police Agency, Song Kyunghui, Chairperson of the Personal Information Protection Commission, officials from the National Intelligence Service, and Yoon Changryul, Director of the Office for Government Policy Coordination. 2025.11.30 [Joint Coverage]

원본보기 아이콘

An official from the Personal Information Protection Commission said on December 1, "Coupang claims that payment information and personal data are stored in separate systems," but added, "However, since the investigation is ongoing, it is difficult to accept this claim as definitive."

Coupang has previously stated that the information exposed in this breach is limited to names, phone numbers, addresses, emails, and some order details, emphasizing that payment information, credit card numbers, and login credentials are "managed separately in different systems and are secure." Since payment information is more sensitive than general personal data, security experts consider Coupang's explanation technically plausible. However, experts agree that while this explanation is structurally possible, separate verification is needed to confirm whether the structure and access controls actually functioned as intended.

In addition to the possibility of further data leaks, questions surrounding the fundamental cause of this incident must also be addressed during the investigation. The fact that Coupang's internal authentication system was left unattended for an extended period has further fueled these concerns.

According to materials received from Coupang on October 30 by Choi Minhee, Chairperson of the National Assembly's Science, ICT, Broadcasting, and Communications Committee and a member of the Democratic Party, it was confirmed that a signature key (token signature key) issued to personnel in charge of authentication had not been renewed for a long time. If a token serves as a kind of one-time pass, the signature key is equivalent to the stamp used to issue that pass. Even if the pass is discarded, as long as the stamp remains valid, anyone can continue to generate new passes at will.

Coupang failed to delete or renew the signature key used for token generation when the responsible employee left the company, leaving the long-valid signature key exposed to potential misuse by internal staff (or former employees). While Coupang did not disclose the exact validity period of the authentication key exploited in this hacking incident, citing the ongoing police investigation, the company responded that "it is common for token signature keys to be set with a validity period of 5 to 10 years."

Coupang CEO Daejun Park Publicly Apologizes

(Seoul=Yonhap News) Reporter Jongchan Han = On November 30, at the Government Seoul Office where an emergency ministerial meeting on Coupang was held, Coupang CEO Daejun Park is seen publicly apologizing as he leaves the meeting room. 2025.11.30 [Joint Coverage]

원본보기 아이콘

A more fundamental question is whether Coupang truly failed to notice the mismanagement of authentication keys for five months. Despite abnormal access occurring since the end of June, if Coupang only recognized the breach now, it suggests that basic security systems-such as access control, log analysis, and anomaly detection-were not functioning properly. Regardless of whether internal privileges were abused, former employees' authentication data was reused externally, or any other form of unauthorized access occurred, the fact that it went undetected for five months is technically difficult to accept. It is still unclear whether this detection delay was simply a technical failure, or if Coupang became aware of the breach earlier but kept it internal for a period of time. Professor Yum Heungyeol of Soonchunhyang University's Department of Information Security explained, "While it can be difficult to detect if an insider accesses the system in a sophisticated manner, the fact that no signals were detected for five months essentially means the security system was not functioning properly."

If it is later revealed that payment or card information was also leaked, the impact of the incident will inevitably grow. This could lead to actual financial damages, such as unauthorized transactions, and increase the likelihood of regulatory penalties or compensation liabilities for Coupang.