South Korean authorities have ordered Coupang to address critical security vulnerabilities following a massive data breach that exposed the personal information of 33.7 million customers. The Science Ministry announced Tuesday that a former Coupang engineer exploited authentication system weaknesses to access user accounts without proper login credentials, causing unauthorized information leaks that lasted from April through November 2025.

The probe revealed that the former employee, who had designed parts of Coupang's user authentication system, stole an internal security key to generate fake login tokens. The ministry accused Coupang of failing to detect forged logins and rotate signing keys after the developer's departure. South Korea's worst data breach has created trade friction with Washington, as American officials expressed concern over the treatment of U.S. tech companies operating in the country.

The ministry imposed an administrative fine of up to 30 million won ($20,596) for violating information network laws by delaying breach reporting beyond the required 24-hour period. Coupang became aware of the breach at 4:00 pm on November 17 but did not report it until 9:35 pm on November 19. The company also faces investigation for failing to comply with a data preservation order. Separate investigations by police and the country's personal data watchdog are continuing as authorities demand that Coupang implement a detection and blocking system for unauthorized electronic access cards.