Coupang Admits Massive Breach Potentially Exposing Data of Nearly 34 Million Customers

South Korea’s top online retailer, Coupang, has issued an apology after revealing a large-scale security breach that may have compromised the personal information of almost 34 million domestic customer accounts.

The nation’s internet regulator confirmed that it has launched an inquiry, noting that data linked to the millions of affected accounts appears to have been exposed. Often dubbed the South Korean counterpart to Amazon.com, Coupang now finds itself at the center of what local media are calling an unprecedented privacy failure—one that follows a string of major corporate data leaks in the country, including one involving telecom giant SK Telecom.

According to the company, the initial red flag emerged on 18 November, when it detected unauthorized access to the personal details of roughly 4,500 users and promptly notified regulators. Subsequent internal reviews, however, revealed that the intrusion likely extended far wider, potentially affecting about 33.7 million South Korean accounts. Coupang said it believes the breach may have begun as early as June and traced it to a server located outside the country.

The retailer stated that the compromised information includes customers’ names, email addresses, phone numbers, delivery addresses, and parts of their order histories. Coupang emphasized that “no credit card information or login credentials were leaked,” insisting those categories remain securely safeguarded. The company added that its users “do not need to take any action at this point” but urged them to remain vigilant against possible scam attempts imitating the company.

The number of accounts affected represents more than half of South Korea’s population of roughly 52 million. Although Coupang is headquartered in the United States, it was founded in South Korea and recently reported close to 25 million active users. The company has not disclosed who may be responsible for the intrusion, though South Korean news outlets on Sunday reported that a former Coupang employee based in China is being treated as a suspect.

South Korea’s Ministry of Science and ICT said authorities are now examining the full scope of the incident and assessing whether Coupang failed to comply with data-protection requirements. In a statement, the Ministry said, “As the breach involves the contact details and addresses of a large number of citizens, the Commission plans to conduct a swift investigation and impose strict sanctions if it finds a violation of the duty to implement safety measures under the Protection Act.”

Coupang has previously suffered multiple cybersecurity lapses, including a breach that exposed data belonging to 460,000 customers. This latest episode has triggered sharp backlash from prominent South Korean organizations. The editorial board of the Chosun Ilbo blasted the situation as “preposterous” and called for significant penalties against companies responsible for endangering users’ information. The Dong-A Ilbo described the breach as “the worst personal data leak” in the nation’s history, questioning how such an intrusion could go undetected for so long and contending it “means their internal data protection system barely mattered.”

The Coupang incident adds to a rising tally of cybersecurity failures in the country this year, despite South Korea’s reputation for strict data privacy standards. SK Telecom faced a nearly $100 million penalty following a breach impacting more than 20 million subscribers, while in September, credit card provider Lotte Card confirmed that close to three million customers had their data stolen in a cyber-attack.

By fLEXI tEAM