South Korea’s e-commerce giant Coupang has revealed that a data breach ongoing since June 24, 2025, exposed personal information tied to about 33.7 million customer accounts prior to detection — representing a majority of its user base. The compromised information includes names, email addresses, phone numbers, shipping addresses and certain order histories; the company affirmed that no payment data, credit-card numbers or login credentials were accessed. The breach — triggered, authorities say, by misuse of still-active internal authentication keys by a former employee now abroad — triggered a criminal investigation, public outcry, and growing calls for strengthened privacy regulation.
Sources: Reuters, eSecurity Planet
Key Takeaways
– The breach exposed basic but sensitive personal data of roughly 34 million customers — a scale that may include a large portion of South Korea’s adult population.
– While financial and login data reportedly remain secure, the leaked information still leaves consumers vulnerable to phishing, identity theft, or scam attempts.
– The breach appears to be driven not by external hacking but by insider misuse of privileged access — underscoring the difficulty of controlling internal data security risks.
In-Depth
The disclosure by Coupang has rocked South Korea’s e-commerce sector: the breach went unnoticed for more than five months, only coming to light when a small number of account exposures triggered an internal review. Initial estimates suggested only a few thousand accounts were compromised — but a full forensic investigation later revealed the actual number: about 33.7 million. That massive gap between early detection and full disclosure sharpens concerns over system monitoring, internal controls, and digital hygiene in large platforms.
Coupang says the data exposed was limited to names, email addresses, phone numbers, shipping addresses and some order histories. Crucially, it claims that more sensitive data — payment info, credit-card details, passwords — remain uncompromised. That distinction matters: while the leak may not lead directly to financial theft, the exposed personal data still creates a rich target pool for phishing, social engineering, and identity scams. In a world where targeted phishing — particularly impersonation attacks — is a growing problem, addresses and phone numbers give malicious actors potential footholds for broader fraud.
What makes the breach especially troubling is the apparent cause. According to investigation reports, a former employee — reportedly of Chinese origin — retained valid authentication keys after departure, allowing access from overseas servers. In effect, the breach was not through a sophisticated external exploit, but through mismanagement of insider access — a scenario that many organizations underestimate or underprepare for. That kind of lapse shows just how fragile even “secure” systems can be when human-facing controls fail: revoking credentials should be a basic hygiene step whenever a staff member leaves or changes roles.
The fallout is just beginning. South Korean police are investigating, tracing IP logs and server access, and authorities are evaluating whether the company violated data-protection regulations. On the regulatory front, this isn’t just a matter of public trust — it’s forcing a rethink: some lawmakers are calling for harsher penalties for corporate negligence; others demand structural reform to ensure that data privacy obligations carry real teeth, even for major firms.
For customers of Coupang — and by extension, any large digital marketplace — the message is clear: no matter how big the company, no system is immune to internal risk. When privileged access isn’t closely managed and revoked upon staff exit, the consequences can be catastrophic. And while credit-card thieves may not have struck this time, opportunistic scammers trolling for identity fodder likely already are.