Coupang $409M fine exposes systemic log deletion and non-member data exposure in insider breach

The breach ran undetected from January to October 2025 because Coupang ignored traffic spikes and millions of nonexistent-ID attempts. The ex-employee, who built the alternative auth system, reassembled profiles including order histories and apartment codes before extortion attempts. PIPC documented four ignored notification orders for non-members and referred the firm for criminal prosecution after manual deletion of six months of access logs post-preservation order, wiping 13 percent of attack-period records.

Mandiant, Palo Alto Networks and EY forensics recovered a weighted MacBook Air from a river, confirming deliberate evidence destruction. This pattern matches SK Telecom's earlier 134.8 billion won fine yet escalates enforcement fivefold, revealing regulators now treat basic safety failures and log tampering as prosecutable rather than administrative. Procurement records show PIPC staffing and audit budgets rose sharply after 2024 parliamentary hearings.

Mainstream coverage missed the operational signal: e-commerce platforms holding recipient data without consent create unmonitored attack surfaces that insider key theft exploits at scale. The 65 percent population coverage makes Coupang a de-facto national registry whose deletion of logs directly prevented full victim identification.

Next enforcement actions will target affiliate programs and automatic log policies; similar fines are expected against other Korean platforms within 12 months as PIPC completes expanded audits ordered in January 2026.