Investigation into the data breach at South Korea's Coupang: A dual Crisis of Security vulnerabilities and stock price fluctuations

In November 2025, South Korean e-commerce giant Coupang was embroiled in a public relations crisis after the personal information of over 33.7 million accounts was leaked. This data breach, affecting nearly 65% of South Korea's population, not only caused widespread panic but also led to a 2.3% drop in its stock price on the US stock market in a single day, with a market value loss of over 1 billion US dollars. As the joint investigation by the South Korean police and the government deepened, the technical vulnerabilities, management failures, and market reactions behind the incident gradually came to light.

I. Event Timeline: From Stealthy Infiltration to Full-blown Outbreak

Investigations revealed that the attack could be traced back to June 24, 2025, when hackers implanted malicious programs through overseas servers and exploited a vulnerability in Coupang's identity verification system to steal data without triggering any alarms. It wasn't until November 18 that the company noticed abnormal login activities and initially reported that only 4,500 accounts had been compromised. However, subsequent investigations confirmed that 33.7 million accounts were actually affected, including core information such as names, phone numbers, and addresses.

The South Korean police disclosed that the attackers might have gradually infiltrated the system through a long-term dormant "backdoor program," and Coupang did not report the incident to the police until November 25. This delayed disclosure is similar to the SK Telecom data breach in 2025, where the company was fined a record 134.8 billion won after hackers remained undetected for three years. Both incidents exposed systemic deficiencies in South Korean companies' cybersecurity monitoring, log recording, and emergency response.

II. Technical Vulnerabilities: Fatal Negligence in Identity Verification

The joint investigation team pointed out that Coupang's servers had three fatal vulnerabilities:

1. Ineffective permission management: After a former employee left the company, their identity verification key remained valid, allowing attackers to use their permissions to access the core database.

2. Missing log records: The company's servers did not fully record access logs from June to November 2025, making it impossible to trace the hackers' activities.

3. Lack of multi-factor authentication: Unlike US telecommunications operator T-Mobile, which uses FIDO hardware keys for enhanced protection, Coupang still relied on single-password verification, providing an opportunity for brute-force attacks.

The Personal Information Protection Commission (PIPC) of South Korea criticized Coupang for "almost complete failure" in data encryption, access control, and intrusion detection. For instance, there were 4,899 server credentials stored in plaintext in its core database, and 2,365 servers were not set with access passwords. Such elementary mistakes were also seen in the SK Telecom incident.

III. Market Reaction: Stock Price Plunge and Trust Crisis

After the data breach was made public, Coupang's stock price dropped by 2.3% in a single day on the US stock market, closing at $26.65 and reducing its market value to $48.68 billion. Although Barclays and other institutions maintained their "buy" ratings, investor confidence was severely damaged. The Personal Information Protection Commission (PIPC) is investigating whether Coupang violated the Personal Information Protection Act. If it is found that Coupang intentionally concealed or was negligent in management, the fine could exceed SK Telecom's 134.8 billion won. Moreover, over 10,000 users are preparing to file a class-action lawsuit, demanding that each victim be compensated over 100,000 won, with a potential total compensation of 3.37 trillion won. Previously, SK Telecom lost 5 million users to competitors due to a data breach. Coupang may suffer the same fate, with a potential loss of 20% of its 24.7 million monthly active users, resulting in a reduction of several billion dollars in annual revenue.

IV. Industry Warning: From "Passive Defense" to "Active Immunity"

The Coupang incident serves as a wake-up call for global enterprises. Security experts such as Feitian Technologies point out that the traditional "username + password" authentication method is no longer sufficient to counter advanced persistent threats (APT), and the passwordless authentication standards introduced by the FIDO Alliance (such as hardware security keys) can significantly reduce the risk of identity forgery. Additionally, enterprises need to establish a "zero trust" architecture, defaulting to distrust of all internal and external traffic and limiting the attack surface through continuous verification and the principle of least privilege.

The South Korean government is also taking action. The Ministry of Science and ICT announced that all enterprises handling data of more than 1 million users will be required to implement real-time intrusion detection and encrypted storage, and a 100 billion won cybersecurity fund will be established to support technological upgrades. However, for Coupang, fixing technical vulnerabilities is easy, but rebuilding user trust is difficult.

In this battle between data security and business reputation, every step Coupang takes in response will determine whether it can rise from the crisis. Global enterprises must also be vigilant: In the digital age, a single data breach can destroy the brand value accumulated over a decade. Security investment is no longer a cost but a bottom line for survival.