Lesson 1.1: Coupang Data Breach Deep Dive

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Coupang Data Breach Deep Dive! Over the next 45 minutes, we will explore how a major e-commerce platform can be brought to its knees by a data breach, and what this incident teaches us about modern threat intelligence.

But first, let me tell you about Min-jun Park.

It's 2:17 PM on a Tuesday in March. Min-jun Park, a senior security analyst at Coupang in Seoul, is reviewing the previous night's security logs. The office hums with the quiet energy of a post-lunch lull, the scent of coffee lingering in the air. His screen is a mosaic of green and amber alerts, nothing out of the ordinary for a platform serving millions of customers.

A notification from the identity and access management system pings. It's a report on privileged account logins. The volume looks normal, but something about the geographic distribution feels off. A cluster of admin-level access requests appears to originate from an IP block not associated with any of the company's known development or support centres. He flags it for a second look.

Before he can investigate further, his phone vibrates. It's a message from a colleague in the fraud team: customers are reporting strange password reset emails they didn't request. Then another: the customer service queue is spiking with complaints about unauthorised purchases. Min-jun's stomach drops. This isn't a coincidence. He makes a decision: he triggers the internal incident response protocol, knowing the next few hours will define his career.

This is the story of a Data Breach. By the end of this lesson, you'll understand exactly why Min-jun never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is a Data Breach?

Think of a data breach not as a single event, but as a slow-motion car crash. It starts with a small crack in the windscreen—a misconfiguration, a weak credential—and ends with the entire vehicle shattering, scattering personal information across the digital highway.

Key Characteristics

A data breach involves the unauthorised access, disclosure, or theft of sensitive, protected, or confidential data. For a company like Coupang, this isn't just about credit card numbers. It's the full spectrum: names, addresses, purchase histories, and account credentials that customers believed were secure.

The impact is rarely contained to IT. Research suggests the consequences ripple outwards, affecting customer trust, stock price, and regulatory standing almost immediately. The business feels the pain in lost sales, remediation costs, and legal fees.

For the individuals whose data is stolen, the implications are personal and prolonged. Stolen credentials can be used for identity theft, account takeover fraud, or as a stepping stone to attack other services where the person has reused passwords.

The Business Impact

When news of a breach breaks, the market reacts. In Coupang's case, the company reported that the incident contributed to a financial loss in the fourth quarter. Growth expectations for the near future were described as muted.

Beyond the immediate financials, the cost includes forensic investigations, customer notification programmes, credit monitoring services, potential regulatory fines, and a significant investment in rebuilding security controls. The total cost often far exceeds initial estimates.

DORA Article 5 DORA Article 5 requires financial entities to have a sound, comprehensive, and effective ICT risk management framework. A data breach of this scale indicates a potential failure in identifying or mitigating ICT risk.

ISO A.8.1 ISO 27001 A.8.1 mandates that assets associated with information and information processing facilities be identified and an inventory maintained. A breach often reveals gaps in this inventory, where sensitive data exists but isn't formally classified and protected.

Content Section 2: The Anatomy of the Attack

Understanding how attackers operate reveals why they're so effective. Let me show you exactly how Min-jun's company was compromised.

Attack Flow

The attack likely began long before Min-jun saw the alerts. Industry data indicates many breaches start with reconnaissance, where attackers scan for weaknesses. This could be a vulnerable web application, a misconfigured cloud storage bucket, or a phishing email sent to an employee with system access.

Once a foothold is gained—say, through stolen employee credentials—the attacker moves laterally. They use that initial access to explore the network, escalate privileges, and locate the valuable data stores: customer databases, payment processing systems, or backup servers.

The final phase is exfiltration. Data is quietly copied and transferred out, often encrypted or disguised as normal traffic to avoid detection. By the time customer complaints start, the data is already in the hands of the threat actors.

Key Technical Components

Attackers frequently use legitimate administrative tools already present on the network, a technique known as 'living off the land'. This makes their actions harder to distinguish from normal admin work.

Data is often compressed and encrypted before being sent to external servers controlled by the attackers. The destination might be a cloud storage service or a server in a jurisdiction with lax enforcement, making recovery difficult.

Why Traditional Defences Fail

Notice what all of these methods have in common. They exploit the gap between a simple rule and intelligent context. They rely on the defender being overwhelmed by data without the means to understand it.

Many organisations rely on a set of standard defences. Here's how a determined attacker bypasses them:

NIST PR.AC-4 NIST CSF PR.AC-4 requires that access permissions and authorisations are managed, incorporating the principles of least privilege. A breach involving privileged account misuse is a direct failure of this control.

NIS2 Article 21 NIS2 Article 21 mandates that essential and important entities take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. This includes preventing and minimising the impact of incidents such as data breaches.

Content Section 3: Detection Mechanisms

Min-jun's systems knew something was wrong. The logs contained clues. The problem was connecting the dots. Here's what to look for.

Network-Level Indicators

Monitor for unusual outbound data flows. Look for large volumes of data being sent to unfamiliar external IP addresses or cloud storage domains, especially outside of business hours. A sudden spike in outbound traffic from a database server to an unknown location is a major red flag.

Pay attention to protocol anomalies. Is data being exfiltrated over DNS tunnels or non-standard ports? Is there encrypted traffic flowing to destinations that don't normally receive it?

Establish a baseline of normal data flow patterns for critical servers. Any significant deviation from this baseline should be investigated immediately, not just logged.

Endpoint-Level Indicators

Watch for process behaviour, not just file signatures. Is a legitimate tool like `powershell.exe` or `sqlcmd.exe` being run by a user who never uses it? Is it making network connections or accessing files it shouldn't?

Monitor for privilege escalation. Multiple failed login attempts followed by a success, or a user account suddenly being added to an administrative group, can signal an attacker consolidating control.

Identity Provider Signals

The identity system is a goldmine for detection. A surge in password reset requests, multi-factor authentication fatigue attacks (where a user is bombarded with MFA prompts), or logins from impossible locations are all strong indicators of credential-focused attacks.

Look for 'impossible travel'—a user account logging in from Seoul and then from a different country an hour later. Monitor for patterns where an account is accessed from a new device or browser fingerprint immediately after a password reset.

SOC2 CC6.1 SOC 2 CC6.1 requires logical access controls to protect information assets from security events. Effective detection of anomalous access patterns, as described above, is a key component of meeting this criterion and providing evidence of operational effectiveness.

GDPR Article 32 GDPR Article 32 requires the implementation of appropriate technical measures to ensure a level of security appropriate to the risk. This includes the 'ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems.' Proactive detection of breach attempts is a core part of this obligation.

Content Section 4: Compliance Documentation

Think of compliance not as a box-ticking exercise, but as the receipt for your security work. It's the proof that you've done the thinking before the incident happens.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5 auditors... For DORA auditors, you can now demonstrate that key personnel have received training on identifying ICT risks related to data breaches, including attack flows and detection mechanisms, as part of your risk management framework.

For ISO A.8.1 auditors... For ISO 27001 assessors, you can evidence that the activity undertaken promotes the identification and classification of information assets (customer data), a fundamental step in applying appropriate controls.

For NIST PR.AC-4 auditors... For NIST CSF reviewers, you can show an understanding of how unauthorised access is gained and how monitoring privileged account behaviour (a key part of access management) is critical for detection.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Min-jun's story ended.

The investigation lasted months. Min-jun and his team worked around the clock. The company faced regulatory scrutiny, class-action lawsuits, and a significant hit to its reputation. While Min-jun wasn't blamed personally, the stress took a toll, and the 'breach' became the defining event of his tenure there.

The organisation eventually overhauled its security programme. They implemented stricter access controls, deployed User and Entity Behaviour Analytics (UEBA) to spot anomalies, and mandated comprehensive data flow mapping. They learned the hard way that perimeter defence was not enough.

But it doesn't have to be your story. That's why we're here.

You should now understand that a data breach is a process, not a point-in-time event. You understand how attackers bypass traditional defences by blending in. You know the key technical and behavioural indicators that can signal an ongoing breach. And you understand how mapping your data flows is the first, non-negotiable step towards building intelligent detection.

Next, we'll explore Next, we'll explore Lesson 1.2: Building a Threat Intelligence Programme. We'll look at how to turn these lessons into a proactive system that anticipates attacks before they happen.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators (network anomalies, privileged account misuse, identity signals) and immediate containment steps for a suspected data breach like Coupang's on a single page.
• Compliance Mapping Worksheet - Map your organisation's data protection controls against the specific DORA, ISO 27001, and NIST CSF requirements relevant to preventing and detecting data breach attacks as covered in this lesson.
• Risk Assessment Template - Assess your organisation's exposure to data breach threats based on the attack vectors (credential theft, lateral movement, data exfiltration) and the data flows identified in your activity.
• Further reading - Links to official framework documentation (NIST SP 800-53, ISO 27002) and threat intelligence sources focusing on data exfiltration techniques and case studies.

Coupang swings to loss as data breach dents Q4; sees muted near-term growth | Reuters Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026