South Korean e-commerce giant Coupang announced a significant data breach impacting nearly 34 million of its customers over the weekend. The compromised information includes names, email addresses, phone numbers, shipping addresses, and some order details. This incident highlights the growing threat of cyberattacks targeting large consumer databases, and raises questions about data security practices within the region’s booming e-commerce sector.
Coupang Data Breach: Millions of Customer Records Exposed
The company first identified suspicious activity on November 18th, involving around 4,500 user accounts. However, a subsequent investigation revealed the scale of the incident to be far greater, affecting approximately 33.7 million customer accounts in South Korea. According to Coupang, more sensitive data such as payment information and login credentials were not accessed during the breach.
Timeline and Initial Response
Coupang stated the unauthorized access is believed to have begun on June 24th, 2025, originating from servers located overseas. The company quickly moved to block the access route and bolster its internal security monitoring. They have also engaged an independent security firm to assist in the ongoing investigation and mitigation efforts.
Authorities, including the Korea Internet & Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency, have been notified of the data security incident. Law enforcement officials have reportedly identified a former Chinese Coupang employee, currently residing outside of China, as a key suspect in the attack.
Scope of the Compromise and Geographic Impact
The breached data centers around personally identifiable information (PII) used for order fulfillment and communication. This includes data necessary for shipping and basic customer service, but crucially excludes financial details, providing some limited reassurance to affected users.
A Coupang spokesperson confirmed that, at this time, the investigation has found no evidence of data compromise affecting its operations in Taiwan or its food delivery service, Rocket Now, in Japan. This isolates the impact of the breach to Coupang’s South Korean customer base.
Recurring Cybersecurity Concerns in South Korea
This recent event isn’t an isolated case; South Korea has experienced a surge in cybersecurity threats throughout 2025. Coupang itself has been victim to several previous data breaches, including incidents in 2020, 2021 and a more recent compromise in December 2023.
The December 2023 breach affected the company’s seller management system, exposing personal information related to over 22,000 customers. These recurring incidents point to systemic vulnerabilities that require continuous attention and investment in stronger security infrastructure.
Additionally, increasing instances of attacks on South Korean companies reflect the nation’s advanced digital infrastructure and its attractiveness to malicious actors. South Korea’s robust economy and high internet penetration make it a prime target for cybercrime, as demonstrated by earlier incidents targeting other large institutions.
Implications for Customers and the E-commerce Sector
The compromised data could expose customers to phishing attempts, identity theft, and other forms of online fraud. Experts recommend that affected individuals remain vigilant about suspicious emails or messages and closely monitor their financial accounts. It is also advisable to enable two-factor authentication on all online accounts as an added layer of security.
In contrast to the breach, Coupang emphasized that payment data was not impacted. However, the incident may still erode consumer trust in the platform and the broader South Korean e-commerce ecosystem. This could influence consumer behavior, potentially leading to a shift toward more cautious online shopping habits.
The PIPC is expected to launch a formal investigation into Coupang’s data handling practices and security measures. The findings of this investigation could result in significant fines and mandated improvements to the company’s data protection procedures.
Looking ahead, Coupang is expected to provide further updates to affected customers and cooperate fully with the ongoing investigations. Regulatory bodies will likely review existing data breach notification laws and consider strengthening penalties for companies that fail to adequately protect customer information. The effectiveness of Coupang’s response and the long-term impact on its reputation remain to be seen.
Updates with spokesperson comment in fifth paragraph.
Check out the latest reveals on everything from agentic AI and cloud infrastructure to security and much more from the flagship Amazon Web Services event in Las Vegas. This video is brought to you in partnership with AWS.mazon Web Services event in Las Vegas. This stream is brought to you in partnership with AWS.
