Coupang Hit by Historic Data Breach as 33.7 M Accounts Exposed
Coupang, South Korea’s largest e-commerce platform, confirmed a catastrophic data breach that exposed personal data of approximately 33.7 million user accounts — a scale that makes it the largest hack in the country’s history.
According to the company, the breach affected names, email addresses, phone numbers, shipping addresses, and certain order histories. Sensitive payment data, such as credit card or login credentials, was reportedly not compromised.
Coupang says the unauthorised access began on June 24, 2025, via overseas servers, but the breach remained undetected until November 18, when the company first flagged suspicious exposure of about 4,500 accounts. A follow-up investigation revealed the full extent of the compromise.
Probe Launched, Government and Regulators Demand Answers
South Korean authorities, including the National Police Agency, the Personal Information Protection Commission (PIPC), and the Korea Internet & Security Agency (KISA) have launched a joint investigation into whether Coupang violated personal data protection laws.
Preliminary findings suggest the breach may have been insider-driven: investigators suspect a former Coupang employee — reportedly of Chinese nationality — used a stolen authentication key to access the company’s user database.
At a parliamentary hearing, lawmakers harshly criticized the delay in detection and poor security practices. The company’s CEO, Park Dae-jun, accepted responsibility for the breach as head of the Korean entity, but lawmakers also called on founder Bom Kim to publicly address the crisis.
Under current regulations, the breach could attract fines up to 3 percent of the company’s annual revenue — which could translate to more than 1 trillion Korean won (≈ US$680 million), depending on assessment of the violation’s severity.
Fallout: Customer Trust, Legal Liabilities and Long-Term Risk
The breach affects roughly two-thirds of South Korea’s population, prompting urgent calls for stronger data protection and more robust cybersecurity frameworks.
In response, Coupang said it has blocked the access route, enhanced internal monitoring, and engaged an independent security firm to assist with remediation. Affected customers are being notified, and regulators have instructed the company to detail the compromised data publicly and advise users on protective actions such as updating addresses or login credentials.
While customers may not need to change payment methods — since payment data was reportedly unaffected — the exposure of contact and address information raises major risks of phishing, identity theft, and unsolicited communication. Security analysts warn that the breach illustrates deep structural flaws in corporate cybersecurity compliance and insider-threat safeguards.
Whether this leads to a major class-action lawsuit, regulatory penalties, or lasting damage to consumer trust, the fallout for Coupang — and corporate data governance in South Korea — is likely to be severe.
