hankyoreh

Delivery trucks for the Korean e-commerce giant Coupang sit in the lot of a distribution center in Seoul on Dec. 2, 2025, two days after news broke of a massive leak of customer data. (Yonhap)

The key suspect in a leak of personal information from around 33.7 million users of the online retailer Coupang is an authentication system developer for the business, it has been learned.

While the data leaks from Coupang have been found to date back to June of this year, the revelation that the suspect in question departed the company in December 2024 raises the possibility that the personal data of users was siphoned off before then.

In an emergency interpellation session Tuesday before the National Assembly Science, ICT, Broadcasting, and Communications Committee on the Coupang data leak, Coupang CEO Park Dae-jun explained that the former employee suspected in the incident was a “developer of authentication systems.”

As recently as the day before, it had only been reported that the suspect was an employee in charge of authentication duties. The latest revelation confirms that the person who leaked the information was a developer who would have had extensive knowledge of the company’s authentication system structure.

At the session that day, Ryu Je-myung, the second vice minister of science and ICT, explained that the attacker “accessed and leaked customer information multiple times through abnormal means without logging in.”

“In the process, an encryption key was used to electronically sign the authentication tokens used when connecting to Coupang servers,” he added.

Coupang CEO Park Dae-jun glances at Coupang Chief Information Security Officer Brett Matthes as he responds to questions from lawmakers on the National Assembly Science, ICT, Broadcasting and Communications Committee at the National Assembly in Yeouido, Seoul, on Dec. 2, 2025. (Yoon Woon-sik/Hankyoreh)

But Park disputed claims that access authority was retained even after the employee departed the company.

Stressing that the employee’s authorization was “revoked” in accordance with procedure, he went on to say, “For unknown reasons, the violator was in possession of key values.”

Brett Matthes, Coupang’s chief information security officer, explained that tokens are used for payment when a customer logs in normally. He added that all of Coupang’s authentication tokens were signed by a private key, and that the attacker created false tokens through authentication with a private key obtained from within Coupang.

According to his explanation, the lack of a basic response from the company — including the failure to delete the former employee’s account — was not connected to the leak.

The dates of the attack, as currently ascertained by a joint private sector-government investigation team, were found to have been between June 24 and Nov. 8.

But the revelation during the interpellation session about the suspect having departed the company in December 2024 raised the possibility that the customers’ information was leaked prior to June.

During the session on Tuesday, Democratic Party Rep. Lee Jeong-heon asked Korea University Graduate School of Privacy and Data Protection professor Kim Seung-joo about the possibility of as-yet-undiscovered leaks having taken place at an earlier date.

“There is a possibility,” Kim replied.

Lee went on to ask about the possibility of the suspect having stolen sensitive customer information, such as credit card, payment, and login details, during their time at the company. Kim likewise agreed that the possibility existed.

In effect, the fact that Coupang initially detected the information leak only after the former employee sent a message reportedly threatening to expose the company’s security risks suggests the need to consider the possibility of additional information leaks having taken place before the first confirmed leak in June of this year.

The Korean government is currently weighing multiple options for punishment for Coupang, including increased penalties, punitive damages, and a suspension of operations. The Consumer Protection in Electronic Commerce Act stipulates that businesses may be subject to punishments up to and including suspension of operations when an electronic commerce transaction results in financial losses to customers.

When asked about this during the National Assembly Session, Minister of Science and ICT Bae Kyung-hoon said the matter would be “actively discussed” with the relevant institutions.

By Seo Hye-mi, staff reporter; Sun Dam-eun, staff reporter

Please direct questions or comments to [english@hani.co.kr]