South Korea's e-commerce giant Coupang just disclosed a massive data breach that exposed personal information from 33.7 million customer accounts - nearly a quarter of the country's population. The breach ran undetected for over five months before the company caught it in November, making it one of the largest cybersecurity incidents in Korean corporate history.
Coupang, South Korea's answer to Amazon, just confirmed what cybersecurity experts are calling one of the most significant data breaches in Korean corporate history. The e-commerce giant revealed that hackers accessed personal information from 33.7 million customer accounts - that's roughly two-thirds of South Korea's entire population.
The company first noticed something was wrong on November 18 when it detected unauthorized access to 4,500 user accounts. But as investigators dug deeper, they uncovered a much larger problem that had been festering since June. According to Coupang's official statement, the breach compromised customer names, email addresses, phone numbers, shipping addresses, and order histories.
The good news? Payment information, credit card numbers, and login credentials weren't touched. "More sensitive data like payment information, credit card numbers, and login credentials was not compromised and remains secure," the company told investors and customers over the weekend.
Coupang moved quickly once it discovered the full scope of the breach. The company immediately reported the incident to Korea's Internet Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency. They've also brought in external security experts to strengthen their defenses and block the unauthorized access route.
The timing couldn't be worse for Coupang, which went public on the New York Stock Exchange in 2021 and has been aggressively expanding across Asia. The company operates its signature "Rocket Delivery" service in South Korea and runs marketplaces in Japan and Taiwan. A company spokesperson confirmed to TechCrunch that the investigation found no evidence of compromise in their Taiwan or international operations.
What's particularly troubling is how the attackers got in. "According to the investigation so far, it is believed that unauthorized access to personal information began on June 24, 2025, via overseas servers," Coupang revealed in their incident report. The five-month window suggests sophisticated attackers who knew how to stay under the radar.
Korean police aren't sitting idle. According to Yonhap News Agency, investigators have already identified at least one suspect - a former Chinese Coupang employee who's now living abroad. The development points to an insider threat scenario, which security experts say is often the most damaging type of breach.
This isn't Coupang's first rodeo with data security. The company has faced multiple breaches over the past few years, including incidents between 2020 and 2021 that exposed both customer and delivery driver information. Most recently, in December 2023, their seller management system was compromised, affecting over 22,000 customers.
The pattern reflects a broader cybersecurity crisis across South Korea. As TechCrunch previously reported, the country has experienced "a breach every month" this year, raising serious questions about digital defenses at major corporations.
For Coupang, this breach represents more than just a security headache - it's a trust crisis. The company built its reputation on reliable, fast delivery and seamless customer experience. Now they're scrambling to reassure millions of customers that their data is safe while facing potential regulatory penalties and lawsuits.
The incident also highlights the growing sophistication of cybercriminals targeting Asian e-commerce platforms. With cross-border operations becoming the norm, a single breach can potentially affect customers across multiple countries, making incident response and regulatory compliance exponentially more complex.
The Coupang breach serves as a wake-up call for the entire e-commerce industry about the persistent threat of insider attacks and the need for continuous monitoring. With 33.7 million customers affected and a former employee identified as a suspect, this incident will likely reshape how Korean companies approach both cybersecurity and employee access controls. As Coupang works to rebuild trust and strengthen its defenses, other major platforms should take note - in today's interconnected world, a single breach can expose millions of customers across multiple countries within months.
