Hacker on laptop showing data breach of online retailer

Data Breach at South Korea’s Largest Online Retailer Coupang Impacts Nearly 34 Million Customers

The personal information from nearly 34 million customer user accounts was exposed in a massive data breach at e-commerce giant Coupang.

U.S.-headquartered Coupang is South Korea’s largest online retailer, with about 25 million active users. It employs over 95,000 people and has an annual revenue of over $30 billion.

The e-commerce giant learned of the data breach on November 18 after detecting illegal access to 4,500 customer accounts.

“On November 18, 2025, Coupang became aware of unauthorized access to personal information related to the accounts of approximately 4,500 customers,” it stated.

It responded by notifying South Korea’s regulatory authorities, Korea Internet & Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency, and launching an investigation.

Coupang data breach worse than initially anticipated

The probe found that attackers had gained access to an international server on June 24 and compromised the personal information of 33.7 million local customer accounts. However, its subsidiaries, Coupang Taiwan and Rocket Now, were not impacted by the data breach.

While the investigation is ongoing, details leaked included names, email addresses, phone numbers, shipping addresses, and order histories for some customers. However, the data breach did not leak payment information, including credit card details and bank account information, or account credentials such as passwords.

Nevertheless, Coupang has warned impacted customers to stay alert for potential phishing scams leveraging the stolen personal information to execute compelling phishing scams.

“Coupang’s breach is a reminder of what happens when one retail platform becomes the go-to hub for an entire country’s shopping needs,” said Steve Cobb, Chief Information Security Officer at SecurityScorecard. “With tens of millions of customer records tied to names, addresses, and order histories, the company effectively holds a national dataset. That scale of responsibility requires security controls that are as resilient as the amount of sensitive information being managed.”

Coupang has experienced data breaches in the past, including one that leaked the personal information of 460,000 customers. In December 2023, Coupang also leaked the personal data of 22,000 customers in a third-party data breach involving a third-party order information management system provider, Otter Korea.

However, the recent breach is “the worst personal data leak,” in South Korea’s history, according to the country’s media outlet, the Dong-A Ilbo.

Chinese national behind the Coupang data breach

So far, the company has not attributed the data breach to any domestic or foreign threat actor. However, sources link it to a Chinese former Coupang employee, who likely maintained access after their employment contract ended. South Korea’s Science Minister Bae Kyung-hoon says the attacker exploited “authentication vulnerabilities,” which are worth investigating.

The suspect allegedly breached the company after leaving South Korea. Subsequently, South Korea’s police say they are tracking the attacker using the IP address used to compromise the company.

Nevertheless, it remains unclear if they traveled to Mainland China and if Beijing would agree to his extradition to face justice in Korea.

South Korea considers harsher penalties for data breaches

Meanwhile, South Korea’s Ministry of Science and ICT has indicated it could launch an inquiry into whether Coupang violated any data protection laws.

South Korea’s President Lee Jae Myung is also calling for harsher data breach penalties for companies that fail to protect the personal information of their customers.

“We must use this opportunity to completely change the incorrect practice of carelessly regarding personal information protection,” he said.

In September 2025, South Korea’s mobile giant SK Telecom was fined $97 million (134.8 billion won) for allegedly failing to prevent a data breach that leaked the SIM-related data of 23.2 million people.

“South Korea recently overhauled the Personal Information Protection Act (PIPA) which governs and protects personal data collected by both public and private entities,” said Nivedita Murthy, Senior Staff Consultant at Black Duck. “In case of a data breach, the organization is supposed to notify the commission which enforces this act within 24 hours, and in some cases, the affected individuals as well. There is a significant penalty when data is not protected including potential imprisonment.”

So far, over 10,000 South Koreans are also planning to join a class action lawsuit against the company, which could cost the company upwards of millions of dollars and reputational damage.

However, e-commerce retailers worldwide are under an elevated threat from cybercriminals, putting the Coupang breach far from an isolated incident.

“This breach isn’t an isolated incident. In the UK alone, several major retail chains and e-commerce providers have recently reported breaches involving payment data, loyalty accounts, and customer identity information,” concluded Cobb.