Coupang Breach Exposes 33.7M South Koreans’ Data

South Korean e-commerce firm Coupang has revealed that hackers infiltrated their systems and accessed personal information belonging to 33.7 million customers.

That’s quite a number, as it represents roughly three out of every four adults in the entire country. The most disturbing aspect of this breach is that attackers operated undetected for over five months, quietly harvesting customer data from June through November before being discovered two weeks ago on Nov. 18. Coupang has only just revealed the news.

The scale and duration of this incident has prompted government officials to launch emergency investigations. Cybersecurity specialists are warning this could be one of the most devastating personal data leaks in South Korean history, with critics pointing to deep structural weaknesses in corporate cybersecurity practices across the country.

The timeline

The attackers began their assault five months ago on Jun. 24 using overseas servers, but Coupang didn’t discover the intrusion until Nov. 18 — nearly five months later. Initially, the company thought only 4,500 accounts were compromised and reported this smaller figure to authorities 11 days ago on Nov. 20.

Deeper investigation revealed the true scope was nearly 7,500 times larger than originally believed. The exposed information includes customer names, email addresses, phone numbers, shipping addresses, and portions of order histories. Fortunately, payment information, credit card details, and login credentials remained secure.

The massive discrepancy between initial and final numbers raises serious questions about Coupang’s ability to monitor its own systems.

Security failures

The investigation has taken a dramatic turn with authorities identifying a former Chinese employee as the primary suspect behind this massive breach. Police have secured the IP address used in the attack and confirmed the suspect has already left South Korea.

This insider connection reveals troubling gaps in Coupang’s internal security management. Experts note that insider-related incidents can produce more significant damage than external attacks, highlighting how internal security management failed to function adequately.

Despite generating over 41 trillion won ($27.9 billion) in annual revenue, Coupang invested only 89 billion won ($60.6 million) in cybersecurity this year — representing just 0.2% of total revenue. The situation gets worse when you consider that the share of security spending within the company’s total IT investment declined from 7.1% in 2022 to 5.6% last year.

The reality for exposed customers

The South Korean government has launched an emergency response. The Ministry of Science and ICT convened urgent meetings to assess whether Coupang violated national data protection rules, with officials reviewing the company’s security practices and compliance with personal information safeguards.

The Korea Internet & Security Agency (KISA) has issued public warnings, urging affected customers to remain vigilant against phishing attempts and fraudulent messages that could exploit the leaked information. So far, police haven’t received reports of smishing or voice phishing linked to the breach, but preparations are in place if the situation escalates.

Coupang has begun notifying impacted customers through email and text messages while working with a joint public-private taskforce that includes multiple government agencies. The company has also brought in external security specialists and shut down the access route used by attackers.

The breach has raised broader concerns over corporate cybersecurity, with critics describing it as evidence of deep structural weaknesses in security practices across the country. For the 33.7 million affected customers, the immediate priority is staying alert for suspicious communications while authorities work to prevent future incidents of this magnitude.