Ask Onix
Coupang discloses breach exposing 34 million South Korean customer accounts
South Korea's leading e-commerce platform, Coupang, issued a public apology on Monday after revealing that a cybersecurity incident may have compromised the personal data of up to 33.7 million local customer accounts-more than half the country's population. The breach, which authorities suspect began as early as June, originated from an overseas server, according to the company.
Scope of the breach and exposed data
Initially, Coupang detected unauthorized access to roughly 4,500 accounts on November 18 and alerted regulators. However, subsequent investigations uncovered the far broader scale of the incident. The exposed information includes customer names, email addresses, phone numbers, shipping addresses, and partial order histories, the company confirmed in a statement.
Coupang emphasized that no credit card details or login credentials were leaked, asserting that "sensitive financial and authentication data remains securely protected." Customers were advised to remain vigilant against potential scams impersonating the company but were told no immediate action was required.
Regulatory response and potential penalties
South Korea's Ministry of Science and ICT announced it is probing the breach's scope and whether Coupang violated data protection laws. In a statement, the ministry warned of "strict sanctions" if the investigation reveals negligence in safety measures under the Personal Information Protection Act. The breach's magnitude-affecting data tied to over 60% of South Korea's 52 million residents-has intensified scrutiny.
The Korea Internet & Security Agency (KISA) is leading technical inquiries, while local media reports suggest a former Coupang employee from China may be linked to the incident. Authorities have not confirmed the suspect's identity or motives.
Criticism and context of recurring breaches
South Korean media and public figures condemned the incident as a systemic failure. The editorial board of Chosun Ilbo called the breach "preposterous" and demanded heavier penalties for firms failing to safeguard customer data. Dong-A Ilbo labeled it "the worst personal data leak in Korean history" and questioned how the intrusion went undetected for months, stating, "It means their internal data protection system barely mattered."
Coupang, often dubbed South Korea's answer to Amazon, has faced prior cybersecurity lapses, including a 2022 incident exposing 460,000 accounts. The latest breach follows high-profile attacks on other major firms this year:
- SK Telecom, the nation's largest mobile operator, was fined $100 million in 2024 after a breach affected over 20 million subscribers.
- Lotte Card, a credit card provider, disclosed in September that hackers accessed data from nearly 3 million customers.
Company response and next steps
In a public statement, Coupang-headquartered in the U.S. but founded in South Korea-reiterated its apology and pledged cooperation with regulators. The company, which reported 25 million active users earlier this year, has not disclosed how the overseas server was compromised or why the breach remained undetected for months.
The Personal Information Protection Commission is expected to release preliminary findings within weeks, with potential fines or corrective orders depending on the investigation's outcome. Coupang users were urged to monitor communications from the company and report suspicious activity.
"We deeply regret this incident and are committed to strengthening our security frameworks to prevent future occurrences."
Coupang spokesperson, November 2025
