Between November and December 2025, Coupang, one of South Korea’s largest e commerce platforms, disclosed a significant data breach affecting approximately 33.7 million customer accounts. The incident was later traced to unauthorized access that had begun several months earlier. Although payment card details and passwords were reportedly not compromised, the scale of exposed personal data drew widespread public, regulatory, and investor attention. The case highlights how cybersecurity incidents can quickly escalate into governance and trust crises.
Key Control Weaknesses Identified
The Coupang breach exposed several fundamental control weaknesses that are highly relevant to internal audit.
First, access management controls were inadequate. The breach involved a former employee who retained system access after departure. This indicates weaknesses in joiner mover leaver processes and insufficient enforcement of timely access revocation.
Second, monitoring and detection controls were ineffective. Unauthorized access reportedly occurred over an extended period before being detected. This suggests gaps in log monitoring, anomaly detection, and escalation procedures.
Third, data protection controls were insufficiently layered. While sensitive financial credentials were not affected, large volumes of personally identifiable information were accessible. This raises concerns around least privilege design, data segmentation, and the scope of access granted to internal users.
Governance and Incident Response Implications
Beyond technical failures, the incident revealed broader governance weaknesses. The delayed discovery and disclosure of the breach raised questions about management oversight, incident escalation protocols, and regulatory reporting readiness.
Coupang’s response included public apologies, executive accountability actions, and a large scale customer compensation program. However, public debate quickly shifted from financial compensation to whether the organization had exercised adequate care in protecting customer data in the first place. This illustrates that reputational damage often exceeds the immediate financial impact of a breach.
From an internal audit viewpoint, this reinforces the importance of reviewing not only preventive controls, but also decision making structures and crisis response governance.
The Insider Threat Dimension
The Coupang case also underscores the ongoing risk posed by insider threats. Not all cyber incidents originate from external attackers. Residual access rights, excessive privileges, and lack of periodic access review create opportunities for misuse.
Internal audit should treat insider risk as a core audit theme, not a niche IT issue. This includes reviewing access certification processes, segregation of duties in system administration, and the independence of security monitoring functions.
What Internal Audit Must Strengthen Going Forward
The Coupang data breach offers several clear lessons for internal audit functions.
Internal audit should strengthen oversight of identity and access management by testing access revocation timeliness and conducting independent access reviews.
Cybersecurity monitoring should be audited as an end to end process, including log completeness, alert thresholds, and incident escalation workflows.
Data protection controls should be assessed beyond regulatory compliance, focusing on practical exposure scenarios and misuse risks.
Incident response readiness should be evaluated through scenario based reviews, including management response time, communication clarity, and regulatory notification procedures.
Most importantly, cyber risk should be embedded into the enterprise risk management framework, with clear ownership and board level visibility.
Conclusion
The Coupang data breach demonstrates that cybersecurity failures are rarely isolated technical events. They are often the result of combined weaknesses in controls, governance, and oversight. For internal auditors, this case reinforces the need to treat cyber risk, insider threats, and data protection as core assurance areas.
Internal audit must continue to evolve its skill set and audit approach to provide meaningful assurance over digital risk. Protecting customer data is no longer just an IT responsibility. It is a fundamental governance obligation.
Comments
Post a Comment