Executive Summary
In June 2024, Coupang, South Korea’s largest online retailer, announced a data breach impacting 33.7 million customers after discovering unauthorized access to customer data in May 2024. The breach, attributed to an insider threat, exposed sensitive information including names, contact details, and purchase histories. Coupang committed $1.17 billion (1.685 trillion KRW) in compensation, underlining the massive scale and business impact. Investigations revealed misuse of privileged access led to the data exfiltration, making this one of Korea’s most significant consumer data breaches.
This incident highlights escalating risks from insider threats amid expanding data footprints in retail and e-commerce. In the wake of regulatory scrutiny and increasing consumer privacy demands, organizations face mounting pressure to implement advanced east-west traffic monitoring, zero trust segmentation, and comprehensive anomaly detection to protect sensitive customer data.
Why This Matters Now
The Coupang breach illustrates the urgent need for robust insider threat protections as attackers and rogue employees increasingly target customer data stores. Retailers managing vast data volumes must rapidly evolve segmentation, traffic visibility, and policy enforcement to prevent similar large-scale breaches and regulatory penalties.
Attack Path Analysis
The insider leveraged legitimate access to initiate the breach, exploiting privileged credentials or roles to escalate their rights within the environment. Once elevated, they moved laterally across internal systems to locate and collect large volumes of customer data. The adversary maintained covert communications and potentially bypassed controls to stage the stolen data for exfiltration. Sensitive information was then exfiltrated out of the organization, likely via unsanctioned channels or services. Ultimately, this resulted in massive data exposure impacting millions of customers, leading to unprecedented operational and reputational impact.
Kill Chain Progression
Initial Compromise
Description
An insider with legitimate access abused their authorized credentials to begin unauthorized activities within internal systems.
MITRE ATT&CK® Techniques
Techniques reflect logical inferences about insider threat-initiated data breaches; additional enrichment with STIX/TAXII is possible upon deeper event/contextual analysis.
Valid Accounts
Credentials in Files
Transfer Data to Cloud Account
Exfiltration Over Web Service
Data Staged
Data Destruction
Account Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Unique Identification for Users
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management
Control ID: Art 9
CISA Zero Trust Maturity Model 2.0 – Enforcement of Least Privilege and User Access Controls
Control ID: Identity Pillar: Least Privilege Access
NIS2 Directive – Technical and Organizational Measures to Manage Risks
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Direct impact from Coupang breach demonstrates insider threat vulnerabilities in customer data handling, requiring enhanced segmentation and egress security controls.
Financial Services
Insider threats pose significant risks to customer financial data, necessitating zero trust segmentation and comprehensive threat detection capabilities.
Information Technology/IT
IT sectors must implement cloud native security fabric and anomaly detection to prevent insider-driven data exfiltration and unauthorized access.
Health Care / Life Sciences
HIPAA compliance requirements demand encrypted traffic and east-west security controls to mitigate insider threats to sensitive patient information.
Sources
- Coupang to split $1.17 billion among 33.7 million data breach victimshttps://www.bleepingcomputer.com/news/security/coupang-to-split-117-billion-among-337-million-data-breach-victims/Verified
- Coupang Announces Compensation Plan to Restore Customer Trusthttps://www.aboutcoupang.com/English/news/news-details/2025/update-on-coupang-korea-cybersecurity-incident/Verified
- Coupang CEO resigns over historic South Korean data breachhttps://fortune.com/2025/12/10/coupang-ceo-resigns-south-korea-data-breach/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust application of Zero Trust Segmentation, east-west traffic security, granular policy enforcement, anomaly detection, and comprehensive egress filtering would have severely restricted the insider's ability to move laterally, escalate privileges, and exfiltrate data. Continuous visibility and contextual policy controls could have detected suspicious activity or prevented data loss at multiple stages.
Control: Multicloud Visibility & Control
Mitigation: Unusual account or access patterns are detected early.
Control: Zero Trust Segmentation
Mitigation: Unnecessary privilege grants and lateral access are blocked.
Control: East-West Traffic Security
Mitigation: Unauthorized internal traffic is blocked and flagged.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous data staging or suspicious outbound connections are rapidly detected.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data egress is blocked or flagged for immediate response.
Mitigated risk of intercepted or altered data in transit during the attack.
Impact at a Glance
Affected Business Functions
- Customer Service
- E-commerce Operations
- Legal and Compliance
Estimated downtime: 30 days
Estimated loss: $1,170,000,000
Personal information of approximately 33.7 million customers, including names, emails, phone numbers, shipping addresses, and order histories, was exposed due to unauthorized access by a former employee.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit access strictly according to role and business need, preventing privilege abuse and lateral movement.
- • Enforce granular east-west and egress policy controls to detect and block unauthorized traffic and data transfers within and out of the environment.
- • Continuously monitor and baseline user, service, and network activities to enable rapid threat detection and incident response.
- • Apply high-performance, in-line encryption for all sensitive data in transit to prevent leakage or interception.
- • Centralize cloud and hybrid visibility to detect anomalous behavior and enforce consistent policies across diverse platforms.
