South Korean e-commerce leader Coupang has disclosed a major security breach that may have exposed personal information from almost 34 million customer accounts, drawing scrutiny from regulators and alarm from the public.
The Korea Internet & Security Agency (KISA), together with other government authorities, has launched an investigation, describing the case as potentially one of the largest personal data leaks in South Korea’s history.
Intrusion Believed to Have Started in June
Coupang said it first noticed suspicious activity on 18 November, when internal monitoring flagged unauthorized access to around 4,500 customer accounts. The company notified regulators the same day.
A deeper review of server logs later indicated that the problem was far wider than initially thought. The company says the breach likely exposed data linked to about 33.7 million customer accounts in South Korea and may have started as early as June through an overseas server.
Coupang says attackers accessed customers’ names, email addresses, mobile phone numbers, delivery addresses and parts of their order histories, but left credit card data, passwords and login credentials encrypted and untouched.
The firm has said customers do not currently need to reset their passwords, but it has urged them to be wary of emails, calls, or text messages that appear to come from Coupang and request personal details.
More Than Half the Population Potentially Affected
South Korea has a population of roughly 52 million, meaning the number of accounts involved could represent data tied to more than half of the country’s residents.
Coupang, often compared to Amazon for its dominant role in South Korea’s e‑commerce market, recently reported close to 25 million active users. The higher figure of 33.7 million relates to all registered accounts, including those that may be inactive.
The company, which began in South Korea and later moved its headquarters to the United States, has issued a formal apology, saying it “deeply regrets” the incident and the concern caused to its customers.
Former Employee Reportedly Under Investigation
Coupang has not named any suspect, but local media outlets have reported that investigators are focusing on a former employee now believed to be in China. Authorities have not publicly confirmed that account, and no charges have been announced.
South Korea’s Ministry of Science and ICT has said regulators are looking at both the scale of the breach and whether Coupang fulfilled its legal obligations to protect personal information. The Personal Information Protection Commission has indicated it will move quickly and impose strong penalties if it finds evidence of weak security practices or violations of the country’s data protection laws.
Because the exposed records contain phone numbers, email addresses, and home addresses, officials have cautioned that the risks to individuals are considerable, especially if criminals exploit the data for scams or identity theft.
Former Employee Reportedly Under Investigation
The breach has sharpened criticism of major South Korean corporations’ handling of customer information. Leading newspapers have called the incident unparalleled in scale and have asked how an intrusion that appears to have lasted for months went unnoticed for so long.
Commentators have also highlighted Coupang’s previous cybersecurity problems. In an earlier case, information on about 460,000 customers was exposed, raising questions over whether lessons were learned from that episode.
Part of a Wider Wave of Cyber Incidents
Coupang’s disclosure comes in a year marked by other high‑profile breaches involving major South Korean firms.
Regulators fined SK Telecom, the country’s biggest mobile carrier, nearly $100m (£76m) after finding that hackers had compromised personal data for more than 20 million subscribers. In a separate incident in September, credit card provider Lotte Card reported that a cyberattack had leaked details of almost three million customers.
These cases have fuelled debate over whether, despite strict privacy laws on paper, enforcement and day‑to‑day security practices at large corporations remain short.
What Coupang Customers Should Do
Although Coupang says it has kept financial data and passwords secure, security specialists advise potentially affected users to:
- Treat unsolicited emails, texts, or calls asking for personal details with suspicion.
- Review their Coupang and email accounts for unexpected orders, messages, or login activity.
- Avoid clicking on links that claim to offer refunds, compensation, or “security checks” related to the breach.
Once regulators complete their examination of Coupang’s systems, its handling of the incident and any potential violations of South Korea’s data protection rules, they will release further details.
