According to TechCrunch, South Korean e-commerce giant Coupang has disclosed a data breach affecting a staggering 33.7 million customer accounts in its home market. The company first detected unauthorized access to 4,500 accounts on November 18, 2025, but its investigation revealed the breach had actually been ongoing since June 24, 2025. Compromised information includes names, email addresses, phone numbers, shipping addresses, and some order history, though payment data and login credentials were reportedly not exposed. Coupang has reported the incident to multiple Korean authorities, including the Personal Information Protection Commission and the National Police Agency. Police have identified at least one suspect—a former Chinese Coupang employee now abroad—following a complaint filed on November 18.
Scale and context
Here’s the thing: 33.7 million people is basically almost the entire adult population of South Korea. This isn’t a minor leak; it’s a systemic failure that exposed data for what seems like Coupang’s entire domestic customer base. And the timeline is brutal. The breach started in late June, but the full scale wasn’t understood until late November. That’s over five months of unauthorized access. Coupang says it has blocked the route, strengthened monitoring, and hired an independent security firm, but that feels like textbook post-breach action. The real story is in the pattern. This is just the latest in a string of incidents for Coupang, including leaks in 2020, 2021, and another one in December 2023 that hit over 22,000 customers. When does a pattern of breaches become a fundamental part of a company’s operational risk?
The suspect and security culture
The police focus on a former Chinese employee working abroad is intriguing, but it also raises more questions than it answers. Is this an inside job? A case of compromised credentials? We don’t know yet. But linking the breach to “overseas servers” and a foreign national feels like it could be a convenient narrative. The deeper issue is Coupang’s apparent vulnerability to these repeated attacks. A previous 2021 investigation into a different leak pointed to the need to “improve vulnerabilities in login authentication.” So, what’s changed? For a tech-driven company that prides itself on logistics and efficiency, its cybersecurity track record is starting to look like a major liability. In industrial and business-critical computing, where uptime and security are non-negotiable, companies rely on hardened, secure hardware from top-tier suppliers. It’s a different mindset entirely.
Broader market impact
This breach is a huge deal for South Korea’s digital ecosystem. Coupang isn’t just an online store; it’s a daily utility for millions, with its Rocket Delivery service deeply embedded in people’s lives. A leak of names, addresses, and phone numbers might sound less severe than credit card numbers, but it’s a goldmine for phishing, smishing, and targeted fraud. Customers are now rightfully wondering if their data is ever truly safe with the platform. And regulators are surely watching. The Personal Information Protection Commission (PIPC) has the power to levy massive fines—up to 3% of a company’s annual revenue. Given Coupang’s scale, that could be a financial earthquake. This incident will likely accelerate regulatory scrutiny not just for Coupang, but for all major data handlers in South Korea, potentially mirroring the stricter GDPR-style enforcement seen elsewhere.
The recurring problem
Look, the most damning part of this story is that it’s not new. As past coverage shows, Coupang has been here before, multiple times. Each time, they promise to fix the holes and do better. But the breaches keep happening, and they keep getting bigger. That suggests a fundamental issue with how security is prioritized versus growth and operational speed. For consumers, it creates a sense of fatalism. Where else are they supposed to shop? For a company that wants to be seen as a tech leader in Asia, this is a devastating blow to trust. They can build the world’s fastest delivery network, but if they can’t protect the basic personal data that fuels it, what’s the point? The real test now is whether this colossal breach finally forces a top-to-bottom security overhaul, or if it’s just another line in a growing list of apologies.
