South Korean police announced on December 1 that they are investigating a data breach that exposed the personal information of 33.7 million Coupang customers. The breach began on June 24, 2025, and was detected by Coupang on November 18, 2025. The company reported the incident to authorities on November 19‑20, prompting the police investigation that was publicly disclosed the following day.
Investigators say attackers exploited authentication vulnerabilities in Coupang’s servers, gaining access without a legitimate login. Evidence points to a former employee of Chinese nationality who left the company before the breach was discovered, indicating an insider threat. The nearly five‑month gap between the start of the breach and its detection raises questions about the company’s monitoring and incident‑response capabilities.
The scale of the breach threatens Coupang’s reputation as South Korea’s largest online retailer. With 33.7 million affected accounts—about 65 % of the country’s population—the incident could erode customer trust and invite regulatory scrutiny. The fine that could be imposed may rival or exceed the record 134.8 billion won ($91‑97 million) levied on SK Telecom for a previous breach, underscoring the potential financial impact.
Coupang’s CEO, Park Dae‑jun, issued a public apology, stating, “I express deep regret over the incident that began on June 24. We sincerely apologize for the inconvenience and concern caused.” Minister of Science and ICT Bae Kyung‑hoon confirmed that the leaked data included names, email addresses, phone numbers, shipping addresses, and partial order histories, but payment information and login credentials were not compromised.
The government has convened emergency meetings and established a joint public‑private task force to assess whether Coupang violated personal data protection laws. The investigation will examine the company’s security controls, incident‑response procedures, and compliance with the Personal Information Protection Act. The outcome could shape future regulatory enforcement and influence how e‑commerce platforms manage customer data nationwide.
The incident highlights the growing risk of insider attacks and the importance of robust authentication and monitoring systems. Coupang will likely need to invest heavily in cybersecurity infrastructure and employee vetting to restore confidence. The long‑term effect on customer retention and brand perception will depend on how quickly and transparently the company addresses the vulnerabilities and communicates remediation steps.
The content on BeyondSPX is for informational purposes only and should not be construed as financial or investment advice. We are not financial advisors. Consult with a qualified professional before making any investment decisions. Any actions you take based on information from this site are solely at your own risk.