South Korean e-commerce giant Coupang has confirmed a massive data breach that exposed personal information belonging to nearly 33.7 million customers, making it one of the country’s largest cybersecurity incidents in recent years. The company publicly apologised over the weekend, acknowledging that the Coupang data breach stemmed from unauthorised access that may have continued undetected for months.
Park Dae-jun, CEO of Coupang, issued a statement on the company’s website saying, “We sincerely apologise once again for causing our customers inconvenience.” The firm, often referred to as the “Amazon of South Korea,” said it is cooperating with law enforcement and regulatory authorities as investigations continue.
Coupang Data Breach Went Undetected for Months
According to Coupang, the unauthorised access began on June 24 through overseas servers but was only discovered on November 18. The company initially believed only about 4,500 accounts were affected. However, further analysis revealed that 33.7 million users had some form of delivery-related personal information exposed.
The leaked data includes customer names, phone numbers, email addresses, shipping addresses, and certain order histories. Coupang stressed that no payment card information, financial data, or login credentials were compromised.
The company has 24.7 million active commercial users as of the third quarter, which means the Coupang data breach covers almost its entire user base.
Former Employee Identified as Main Suspect
South Korean police confirmed that they have secured the IP address used in the attack and have identified the suspect behind the breach. Investigators say the individual is a former Coupang employee, a Chinese national who has already left South Korea.
“We are analysing server logs submitted by Coupang. We have secured the IP used by the suspect and are tracking them down,” an official at the Seoul Metropolitan Police said. Authorities are also verifying whether the individual is linked to an email sent to Coupang threatening to reveal the stolen information.
Government Steps In as Public Concern Rises
The Ministry of Science and ICT held an emergency meeting on Sunday to review the scale of the incident and assess whether Coupang violated any personal information protection rules. Minister Bae Kyung-hoon said regulators are closely monitoring the company’s handling of the breach.
The Korea Internet & Security Agency (KISA) issued a public advisory warning users to remain alert for phishing attempts or scam messages pretending to be from Coupang. So far, police have not received reports of smishing or voice phishing linked to the breach, but authorities say preparations are in place in case the situation escalates.
The Coupang data breach adds to growing frustration among South Korean consumers, who have witnessed a series of major data leaks this year. SK Telecom and other large companies have faced similar cybersecurity incidents, increasing pressure on businesses to strengthen internal security controls.
Coupang Issues Customer Guidance
The company has started notifying impacted customers through email and text messages. In an FAQ shared with users, Coupang clarified what information was exposed and what steps customers should take. The company reiterated that payment, card details, and passwords were not affected.
Coupang also explained that it notified authorities immediately after confirming the issue and is committed to updating customers as the investigation progresses. For now, the company says users do not need to take additional action beyond remaining cautious of unsolicited calls, links or messages claiming to be from Coupang.
Police are verifying the suspect’s identity, travel history, and potential motives. They are also examining whether the individual acted alone or was linked to a wider scheme. The case has now moved from an internal inquiry to a full-scale criminal investigation.
As authorities continue to analyse server logs and cross-border activity, concerns remain that the scale or impact of the Coupang data breach could grow. For now, officials say there is no evidence of financial misuse, but investigations are still in early stages.
