Full Report
Former staffer of Korean e-tailer Coupang accessed 33 million records but may have done less damage than feared Korean e-tailer Coupang claims a former employee has admitted to improperly accessing data describing 33 million of its customers, but says the accused deleted the stolen data.…
Analysis Summary
# Incident Report: Unauthorized Access of 33 Million Coupang Customer Records
## Executive Summary
A former employee of Korean e-tailer Coupang improperly accessed the data of approximately 33 million customers. The access was achieved by using a stolen security key. While the scope of data viewed was limited (around 3,000 accounts' order histories and building access codes), the sheer number of potentially exposed records necessitated a significant response, including offering substantial customer vouchers. The accused admitted to the actions and claimed to have deleted the data, later attempting to destroy digital evidence by submerging a laptop in a river.
## Incident Details
- **Discovery Date:** Not explicitly stated, but investigation began *before* Christmas (implied shortly before Monday, December 29, 2025).
- **Incident Date:** Occurred sometime prior to the investigation, while the perpetrator was a staffer.
- **Affected Organization:** Coupang (Korean e-tailer)
- **Sector:** E-commerce/Retail
- **Geography:** South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to investigation.
- **Vector:** Compromised internal credentials/Security Key.
- **Details:** The alleged perpetrator stole a security key while employed at Coupang.
### Lateral Movement
- **Date/Time:** During the incident window.
- **Vector:** Internal access via authorized/stolen credentials on a PC and MacBook Air.
- **Details:** The individual used the security key to access customer records. Investigators found a script on the PC hard drive used to run the attack.
### Data Exfiltration/Impact
- **Date/Time:** During or immediately following data access.
- **Details:** The accused viewed the order histories and building access codes associated with "roughly 3,000" customer accounts. The accused claimed all data was retained only on the local machines (PC/MacBook Air) and subsequently deleted after media reports surfaced.
### Detection & Response
- **Date/Time:** Prior to the public disclosure on Christmas (Mon, Dec 29, 2025).
- **Details:** Coupang initiated a forensic investigation, collaborating with Mandiant, Palo Alto Networks, and Ernst & Young. Sworn statements were secured from the alleged perpetrator. Following media reports, the accused destroyed evidence.
## Attack Methodology
- **Initial Access:** Theft and use of an internal security key by a former staffer.
- **Persistence:** Access maintained via PC and MacBook Air during the operation.
- **Privilege Escalation:** Not explicitly detailed, likely leveraging the security key for elevated data access permissions.
- **Defense Evasion:** Unknown during the access phase, but later involved physical destruction of evidence (submerging a laptop).
- **Credential Access:** Theft/misuse of a valid, internal security key.
- **Discovery:** Likely internal reconnaissance focusing on specific data sets.
- **Lateral Movement:** Limited to the systems used by the perpetrator (PC/MacBook Air).
- **Collection:** Targeted gathering of order histories and building access codes (3,000 records).
- **Exfiltration:** Claimed retention was only local; no indication of external exfiltration was found by investigators ("never moved it off his PC and MacBook Air").
- **Impact:** Unauthorized viewing of sensitive customer data.
## Impact Assessment
- **Financial:** Coupang announced it would gift 33 million customers a ₩50,000 ($35) voucher, totaling an estimated cost of $1.17 billion.
- **Data Breach:** Access to data describing 33 million customers. Specifically, the order histories and building access codes for approximately 3,000 accounts were viewed.
- **Operational:** No immediate operational disruption mentioned, but South Korean government commissioned an inquiry into company operations.
- **Reputational:** Significant negative publicity, necessitating a massive compensation gesture to mitigate fallout.
## Indicators of Compromise
- **Network indicators:** None provided (defanged).
- **File indicators:** Attack script found on the hard drive of the surrendered PC.
- **Behavioral indicators:** Unauthorized access to customer databases, followed by physical evidence destruction (throwing a MacBook Air with bricks into a river). Serial number matching the recovered laptop to the accused's iCloud account served as a key corroborating indicator.
## Response Actions
- **Containment:** Investigation launched involving Mandiant, Palo Alto Networks, and E&Y.
- **Eradication steps:** Not explicitly stated, but focused on forensic review, securing sworn statements, and ensuring local deletion by the accused.
- **Recovery actions:** Commitment to compensate 33 million affected customers with vouchers.
## Lessons Learned
- Insider threat management, specifically concerning the access and handling of security keys by departing or current staff, is paramount.
- Secure disposal of digital evidence remains a key challenge; efforts to destroy electronics can leave recoverable forensic traces (e.g., the serial number matching the iCloud account).
- A security failure that potentially impacts over half the national population results in massive financial and reputational liabilities, even if the actual *viewed* data volume is smaller.
## Recommendations
- Implement stricter controls over the lifecycle management and auditing of high-privilege security keys, especially for departing employees.
- Enhance monitoring for anomalous access patterns related to bulk customer data queries, even originating from seemingly authorized internal assets.
- Establish clear, documented, and mandatory data destruction protocols for company hardware (especially laptops) upon employee departure or incident confirmation.