TEST BUILD: AI Autopsy: Coupang Tackles a Malicious Insider

Talk about finishing 2025 with a bang. South Korean e-commerce giant Coupang made headlines for all the wrong reasons in December, after becoming the victim of the country’s worst-ever data breach. It soon claimed the scalp of CEO Park Dae-jun, although in some ways, Coupang had a lucky escape. The trove of stolen data affecting 33.7 million customer accounts did not include passwords or payment details.

However, that’s where the good news ends for South Korea’s answer to Amazon. The firm made multiple technical and communication errors before and after the insider incident, providing plenty for CISOs to digest.

Customer data: stolen, then submerged

According to statements from Coupang and testimony to South Korea’s National Assembly, the incident was caused by a former software developer who retained system access after leaving the company, allowing him to extract data over a prolonged period.

“It was an interesting example of brand reputation management in the wake of an incident” Mark Johnson

The man, a Chinese national whose contract ended in December 2024, allegedly retained an internal cryptographic key after leaving the company. After media coverage surfaced, the insider panicked and attempted to destroy the evidence. In a dramatic turn, he smashed his MacBook Air, weighted it with bricks, and threw it into a river.

But that wasn’t the end of the incriminating MacBook. With the perp’s help, the device was recovered and examined by forensic teams before being handed over to authorities. Notably, the breach is believed to have begun in June 2025 and remained undetected for around five months before being discovered in November of that year.

Coupang’s communication strategy has been widely criticised. The firm initially claimed that data belonging to just 4,500 customers had been stolen, well short of the final figure of close to 34 million. This included customer names, phone numbers, email and delivery addresses and order histories, although passwords and payment information were not compromised. Also in the trove were several thousand building access codes, used for delivery workers to place packages inside apartment blocks. This potentially puts victims in physical danger and exposes them to the risk of identity fraud.

Organisation-wide compromise

The Coupang breach is a prime example of how “a single, unconstrained insider” can cause “an organisation-wide compromise”, Avella Security partner, Daryl Flack, tells Assured Intelligence.

The former Coupang employee appears to have used his internal security key to access and then pull bulk customer records at scale via scripted queries, routing the attack via overseas servers to obfuscate his location. He managed to do all this without triggering timely detection or containment, Flack points out.

“Supporting systems lacked guardrails to detect and prevent bulk access” Daryl Flack

This exposes gaps in key lifecycle management, offboarding processes and anomaly detection. “The ease with which the ex-employee could extract the data suggests that system secrets were not adequately constrained and that supporting systems lacked guardrails to detect and prevent bulk access,” he explains.

However, in many organisations, hardware-backed keys, API tokens and service credentials are issued outside of core identity and access management (IAM) workflows and are not automatically revoked during offboarding, says Oliver Newbury, former CISO at Barclays. “Once that happens, access from a personal device does not necessarily trigger alarms because the authentication path itself is still valid and trusted,” the Halcyon chief strategy officer tells Assured Intelligence.

So, from a detection perspective, the system sees an authorised identity performing authorised actions, even though the business context has fundamentally changed, he explains.

For Coupang, this had major consequences. Possession of the signing key effectively meant the attacker could gain control of “the trust anchor of the authentication system”, Newbury says. This enabled the adversary to bypass standard login, identity verification and session controls entirely, because any token he minted would validate successfully on the server side.

Not a good start

Being unable to identify the hack for five months “did not put Coupang off to a good start” in its incident response, Mark Johnson, head of presales security at ANS Group, tells Assured Intelligence.

However, at the end of December, the firm tried to claw back trust with plans to distribute purchase vouchers worth around 1.7 trillion won (£860m) to customers, starting January 15.

Reaction has been mixed, with some criticising the firm for turning the incident into a business opportunity. While Coupang’s post-breach forensics work and cooperation with regulators and law enforcement were competent, its approach to customer compensation has been “clumsy”, argues Avella Security’s Flack.

“The abuse of legitimate credentials can persist quietly for months without triggering alerts” Arda Büyükkaya

“A no-strings-attached model is preferable”, he says. For example, complimentary credit monitoring and identity protection services for affected customers would likely have been better received than a locked-in voucher scheme, which has “made a bad PR situation worse”.

However, since compensation is not necessarily expected following cyber attacks, it is “an interesting example of brand reputation management in the wake of an incident”, according to ANS Group’s Johnson. Tracey Hannan-Jones, information security consulting director at UBDS Digital, is also broadly sympathetic. “While some customers appreciate the goodwill gesture, others see it as insufficient or a way to avoid deeper accountability,” she tells Assured Intelligence. “The real test is whether the firm has demonstrated long-term improvements in its security and transparency.”

The final word for CISOs

The incident is the latest example of how insider threats are among the most difficult to detect. According to IBM, they not only cost more on average ($4.9m versus $4.4m), but take longer to identify and contain (260 days versus 241 days) than regular breaches.

Insiders with legitimate access will often be able to evade traditional security controls, enabling them to cause more damage, according to Arda Büyükkaya, senior cybersecurity threat analyst at EclecticIQ. “The abuse of legitimate credentials can persist quietly for months without triggering alerts unless organisations are explicitly monitoring for misuse of trust rather than just perimeter breaches,” he tells Assured Intelligence.

“The real test is whether the firm has demonstrated long-term improvements in security and
transparency” Tracey Hannan-Jones

When someone leaves the company, CISOs should ensure that offboarding processes “immediately revoke all credentials, tokens and keys across every system”, and that long-lived credentials are eliminated wherever possible, adds ANS’s Johnson. “The breach also highlights the importance of detecting abnormal behaviour from valid users, as trusted credentials can mask malicious activity,” he says.

The public reaction to the breach shows that incident response extends beyond technical containment, Johnson continues. “How an organisation communicates with and protects affected customers is critical to maintaining trust, and should be treated as an integral part of your security strategy.”

Nearly two months on, Coupang is still feeling the impact of the incident. The breach contributed to a drop of roughly two million daily active users on its platform, a fall in the share price, executive resignations, looming regulatory fines, and potentially long-term reputational damage in a market where trust is critical.

Ultimately, the success of its response will depend on how well it has strengthened its cybersecurity measures following the attack, says Johnson. “Insider system access will be its pain point in the coming months,” he concludes. “And implementing authentication that lets the right people in and blocks those with malicious intent will be how it rebuilds customer trust.”