Coupang Fined $409M After Insider Data Leak

South Korea’s Personal Information Protection Commission (PIPC) imposed a record fine of 624.7 billion won (approx. $409M), on Coupang, the country’s largest e-commerce platform, following a major data breach and additional violations related to the processing of personal information.

The 2025 incident affected around 37.5 million individuals. This included approximately 33.2 million registered Coupang users and 4.3 million non-users whose information was stored in the system as order delivery recipients. The scale of the incident is especially significant, as the number of affected individuals is equivalent to more than half of South Korea’s population.

The exposed data included:

• Names
• Contact information
• Address information
• Order history

Separately, the regulator found that Coupang had unlawfully collected online activity data from around 11.17 million users across third-party websites and applications without proper consent.

The total penalty consists of two parts: 423.6 billion won for violations related to the personal data breach and 201.1 billion won for the unlawful collection of users’ online activity data.

According to the regulator, the incident was caused by serious failures in basic security controls, including weak authentication key management and insufficient access control. The investigation revealed that a former employee, who had previously helped develop Coupang’s alternative authentication system, stole a signing key prior to leaving the company in late 2024. He subsequently used the key to forge authentication tokens, gaining automated access to customer data pages over several months.

Coupang disagreed with the decision and said it intended to challenge the ruling in court. The company also expressed regret that its explanations and measures to mitigate secondary damage had not been fully taken into account. Furthermore, PIPC plans to refer the case to prosecutors for possible criminal proceedings related to the deletion of several months of access logs during the investigation.

As a result of this insider leak, Coupang faced not only a record regulatory fine, but also a prolonged and large-scale reputational crisis. The incident triggered intense regulatory pressure, public criticism, changes at the senior management level and the risk of further legal consequences.

Iowa School District Insider Breach

Former IT specialist Ezekiel Dean Potter, 34, of Saydel Community School District in Iowa, was sentenced to 21 months in prison for carrying out prolonged attacks against the systems of his former employer.

Potter worked as a senior IT support specialist from May 2022 to April 2023. Following his termination, he retained access to accounts and deliberately targeted the school district’s IT infrastructure for more than a year and a half.

First, he deleted the school district’s Facebook page. Later, Potter gained access to Apple School Manager and deleted user accounts, passwords, phone numbers, payment information and device management server data. This effectively locked staff out of the platform and disrupted the management of MacBooks and iPads for about a week while district specialists worked with Apple to restore access.

Potter later attempted to access GoDaddy and other online services used by the district. In January 2025, he used a Google administrator account to access the Schoology learning management system and deleted the account of an IT employee. This disrupted teachers’ access to the platform and affected classes. A week later, he deleted nine Gmail accounts belonging to current and former district employees, including the accounts of the IT Director and the Superintendent.

The targeted attacks against the school district’s systems and servers disrupted educational processes and caused financial losses estimated in the tens of thousands of dollars.

After Google issued security warnings about unauthorized account access, Potter began using VPN services in an attempt to hide his activity. However, federal investigators linked part of the activity to IP addresses associated with his subsequent workplaces. A key piece of evidence was a flash drive that Potter had asked a former colleague to retrieve and wipe. Instead, the flash drive was handed over to investigators. It contained spreadsheets with usernames and passwords for the school district’s accounts and services.

Potter pleaded guilty to computer fraud. The court sentenced him to 21 months in prison, followed by three years of supervised release, and ordered him to pay $59,668.81 in restitution to the school district and its insurance company.

The Iowa school district case is a reminder that insider risk is not always a data leak. A former employee may not steal customer databases, but retained access, malicious actions and system sabotage can still disrupt operations, damage business continuity and cause direct financial losses.

That is why insider risk management requires more than legacy DLP focused solely on data leakage incidents. SearchInform Risk Monitor delivers continuous visibility into user activity. By monitoring employee behavior in real time, it helps organizations detect, investigate and mitigate a wider range of employee-related risks, including different types of corporate fraud, data leaks, policy violations, suspicious user behavior and sabotage attempts. Request a free trial of Risk Monitor for 30 days.