Executive Summary
In June 2024, Coupang suffered a major data breach that exposed the personal information of approximately 33.7 million customers. The incident was traced to a former employee who maintained unauthorized access to internal systems after leaving the company. The ex-employee exploited residual system credentials to retrieve sensitive data, which included names, addresses, and contact details. Coupang discovered the breach during a security review and promptly notified regulatory authorities, emphasizing no financial information or passwords were accessed. Immediate actions included revoking all unnecessary access and tightening access control policies.
This breach underscores the persistent issue of insider threats and the dangers of insufficient deprovisioning of system access. As remote work and rapid staff turnovers continue, organizations face heightened pressures to implement robust identity and access management to prevent similar incidents.
Why This Matters Now
This incident highlights the urgent need for organizations to address insider threat risks and deprovision access for departing personnel. With increasing regulatory scrutiny and frequent staff changes, businesses must ensure comprehensive identity governance to mitigate exposure and reduce the window for unauthorized system access.
Attack Path Analysis
An ex-employee retained valid credentials and accessed Coupang’s internal cloud systems after departure. Leveraging leftover privileges, the attacker may have escalated or broadened access within the environment. They laterally moved to sensitive systems containing customer data. Covert communications and usage of legitimate access enabled command and control without immediate detection. Large volumes of customer information were exfiltrated out of the environment over the network. The impact was a significant data breach affecting over 33 million customers.
Kill Chain Progression
Initial Compromise
Description
Ex-employee used retained valid credentials to access internal Coupang cloud systems post-employment.
MITRE ATT&CK® Techniques
Valid Accounts
Account Discovery
Command and Scripting Interpreter
Application Layer Protocol
Brute Force
Remote Services
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Immediate revocation of access for terminated users
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
NIS2 Directive – User access and privilege management
Control ID: Article 21(2)(b)
CISA Zero Trust Maturity Model 2.0 – Timely removal of identities and credentials
Control ID: Identity Pillar: Access Management
DORA (Digital Operational Resilience Act) – ICT User Access Management
Control ID: Article 9(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Ex-employee system access creates insider threat risks for customer data protection, requiring enhanced zero trust segmentation and egress security controls.
E-Learning
Online platforms face similar insider threats to customer databases, needing multicloud visibility and threat detection for anomaly response capabilities.
Financial Services
High-value customer data exposure risks from retained employee access demand strict east-west traffic security and encrypted communication protocols.
Health Care / Life Sciences
Patient data vulnerability to insider threats requires HIPAA-compliant threat detection systems and comprehensive access control policy enforcement measures.
Sources
- Coupang data breach traced to ex-employee who retained system accesshttps://www.bleepingcomputer.com/news/security/coupang-data-breach-traced-to-ex-employee-who-retained-system-access/Verified
- Coupang data breach traced to ex-employee with system accesshttps://beinsure.com/news/coupang-data-breach-traced-to-ex-employee/Verified
- Coupang CEO resigns over historic South Korean data breachhttps://fortune.com/2025/12/10/coupang-ceo-resigns-south-korea-data-breach/Verified
- Coupang shares jump after company identifies ex-employee in data breachhttps://www.investing.com/news/stock-market-news/coupang-shares-jump-after-company-identifies-exemployee-in-data-breach-93CH-4423026Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix CNSF controls such as Zero Trust Segmentation, East-West Traffic Security, Egress Policy Enforcement, and Multicloud Visibility would have contained lateral movement, restricted exfiltration pathways, and enabled rapid detection of anomalous insider activity. Least privilege and microsegmentation could have severely constrained the former employee’s ability to access and move data outside of designated roles.
Control: Zero Trust Segmentation
Mitigation: Access from departed users is blocked at the network and identity layer.
Control: Multicloud Visibility & Control
Mitigation: Anomalous privilege escalations are detected and quickly alerted.
Control: East-West Traffic Security
Mitigation: Unauthorized east-west access is denied and flagged.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual remote session patterns or covert C2 channels are detected and alerted in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Unsanctioned data exports are blocked and reported.
Breach scope limited and incident contained more rapidly.
Impact at a Glance
Affected Business Functions
- Customer Service
- Order Processing
- Logistics
Estimated downtime: 7 days
Estimated loss: $5,000,000
Personal information of approximately 33.7 million customers, including names, email addresses, phone numbers, shipping addresses, and certain order histories, was exposed. Sensitive information such as payment details and login credentials remained secure.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to limit access strictly to active, authorized identities and workloads.
- • Continuously monitor for and alert on privilege escalations, account reactivation, and anomalous access events.
- • Deploy East-West Traffic Security controls to microsegment workloads and prevent lateral movement within cloud environments.
- • Implement comprehensive Egress Security and Policy Enforcement to detect and block unsanctioned data exfiltration.
- • Leverage Multicloud Visibility and Threat Detection for rapid response to insider and post-employment account abuse.
