South Korea's Ministry of Science and ICT on Monday announced the results of a joint public-private investigation team’s probe into a Coupang security incident.

The scale of the leak was confirmed at more than 30 million cases, more than 6,600 times the initial report of 4,536 cases. Coupang received a customer report on Nov. 16 last year about an email suspected of involving a personal data leak.

Coupang became aware of the incident on Nov. 17 through its own investigation and reported to the Korea Internet & Security Agency (KISA) on Nov. 19 that information from 4,536 accounts had been leaked. However, a KISA on-site investigation found the leak involved more than 30 million accounts.

The investigation team analysed 25.6 terabytes of stored data covering a total of 664.2 billion Coupang access logs from Nov. 29, 2024 to Dec. 31, 2025. It also conducted forensic analysis of the attacker’s PC storage device and a laptop belonging to a Coupang developer who was employed at the company.

The probe found the attacker leaked 33,673,817 cases of names and email addresses from April 14 to Nov. 8 last year via the “edit my information” page. The delivery address list page was accessed 148,056,502 times and included a shared building entrance password that was de-identified with names, phone numbers, addresses and special characters.

The delivery address list edit page was accessed 50,474 times and included the shared building entrance password without de-identification. The order list page was accessed 102,682 times. The Personal Information Protection Commission will make the final determination of the scale of the personal data leak.

The attacker was identified as a back-end developer who, while employed at Coupang, carried out work designing and developing the user authentication system. After stealing a signing key he managed while employed, he used it after leaving the company to forge and falsify an “electronic access pass”.

Normal users obtain an “electronic access pass” by going through the login process and access services after verification by Coupang’s gateway server. The attacker, however, was able to access Coupang services without authorisation and without a normal login using a forged “electronic access pass”.

The attacker conducted attack tests from Jan. 5 to 20 this year, then launched a large-scale attack from April 14 using an automated web-crawling tool. A total of 2,313 IP addresses were used in the process.

The investigation team pointed to problems in Coupang’s security system. There was no system to verify whether an “electronic access pass” had been legitimately issued, and although vulnerabilities were found through penetration testing, overall improvements were not made.

Under internal rules, the signing key was supposed to be stored only in a “key management system”, but it was stored on the employed developer’s laptop, and there was also no system to manage key issuance records. The signing key was not immediately renewed even after the developer left the company.

It also failed to detect and block repeated use of the same server user identification number and abnormal access using a forged “electronic access pass”.

Violations of the law were also confirmed. Coupang reported to KISA at 9:35 p.m. on Nov. 19, more than 24 hours after the time it reported to its chief information security officer at 4 p.m. on Nov. 17 last year. The Information and Communications Network Act requires reporting within 24 hours of recognising an incident. The ministry plans to impose an administrative fine of up to 30 million won.

The ministry also confirmed a violation of an order to preserve materials. The ministry ordered Coupang to preserve materials at 10:34 p.m. on Nov. 19, but Coupang did not adjust its automatic log storage policy and about five months of web access logs, from July to November last year, were deleted. Application access logs were also deleted for data from May 23 to June 2 last year. The ministry requested an investigation by investigative authorities.

The ministry will require Coupang to submit an implementation plan for measures to prevent recurrence within this month and plans to check implementation from March to May.