Coupang Data Leak Exposes More Than Thirty Million Accounts and Raises Nationwide Alarm

Dec 1, 2025

Seoyeon Kim

South Korea is confronting one of the largest personal information leaks in its digital history after Coupang confirmed that data from approximately thirty three point seven million customer accounts had been exposed. The scale of the incident is staggering because it is almost equal to the entire active user base of the company. Since Coupang is the most widely used e commerce platform in the country, the leak has caused strong concern among both Korean citizens and foreigners living in Korea who rely on the service for daily necessities.

The Korean government released a detailed briefing stating that the unauthorized access began around June twenty fourth of this year. Coupang reportedly noticed signs of abnormal internal access on November eighteenth, almost five months after the leak is believed to have started. The company first announced that only around four thousand five hundred accounts were affected but later revised this number to thirty three point seven million after further investigation. This means the confirmed scale grew more than seven thousand five hundred times larger than Coupang’s initial statement, which has fueled anger and suspicion among customers.

Investigators now believe that this was not an external hacking case but an inside job. Multiple Korean reports indicate that a former employee of Chinese nationality is suspected of illegally viewing and downloading customer data by using internal access privileges. Coupang stated that no evidence of external hacking was found in its systems, which strengthens the suspicion that the data was taken by someone who already had legitimate access. Korean police received Coupang’s report and have launched an investigation, but the suspected former employee is believed to have already left the country, making the investigation more complicated.

According to government statements and media reports, the leaked information includes names, phone numbers, email addresses, delivery addresses, and certain purchase history details. Coupang emphasized that credit card numbers, bank account information, passwords, and financial data were not included. However cybersecurity experts warn that even basic personal information combined with address and phone details can enable large scale phishing operations and identity based scams. The Korea Internet and Security Agency has already issued alerts urging the public to be careful with suspicious phone calls and text messages that pretend to be official communications from Coupang or financial institutions.

The size of the leak is comparable to the largest personal data breaches in South Korean history. In the past, major cases involved telecommunications companies and social platforms, but the thirty three million account leak from Coupang is considered one of the biggest since the widely known Cyworld incident more than a decade ago. Some analysts estimate that nearly sixty five percent of the country’s population may be indirectly affected.

Coupang has long promoted its security management as industry leading and has held major national and international security certifications. Despite this reputation, the company has now experienced several large scale information exposure incidents in recent years. Critics argue that certification systems lose credibility when companies continue to obtain official recognition while still failing to prevent massive personal data leaks.

After the announcement became public, government ministries held emergency meetings and formed a joint investigation team involving the Ministry of Science and ICT, the Personal Information Protection Commission, the National Police Agency, and the Korea Internet and Security Agency. Lawmakers have also begun to discuss raising the legal limit for corporate penalties. Under current rules companies can be fined up to three percent of annual sales for violating personal data protection laws, but a proposed revision would raise the ceiling to four percent to match the levels used in the European Union and the United Kingdom. The proposal also increases the fine limit from twenty to thirty billion won when annual revenue cannot be clearly calculated. Supporters of the amendment say repeated and widespread data leaks from major platforms justify stricter penalties.

Coupang’s chief executive personally apologized at a government building on November thirtieth, acknowledging customer frustration and promising to improve the company’s security infrastructure. However the apology did not calm public anger. Many customers criticized Coupang for initially using the word exposure rather than leak, which gave the impression that the company tried to minimize the severity of the incident. Others expressed frustration that Coupang took so long to inform customers despite noticing abnormal activity earlier in the month.

Foreign residents in South Korea are also deeply concerned because they use the same customer systems as Korean users. Many international students, factory workers, English teachers, and corporate employees depend on Coupang deliveries for daily life. With limited Korean language skills, some foreign residents fear they may be easy targets for scams using stolen personal data. Security experts warn that scammers may call or text in mixed English and Korean, pretending to be from Coupang and requesting identity verification or refund details. Banks and legitimate companies never request full card details, passwords, or authentication codes over the phone, and any message that asks for such information should be treated as suspicious.

Customer anxiety is rising in online communities. Apartment residents worry because many people store front door passwords in their delivery instructions. Community forums report a rapid increase in requests to change common entrance codes. Several online groups have begun organizing potential class action lawsuits, with some gathering thousands of participants within hours of opening.

Although no financial information was leaked, experts say the long term damage from personal data exposure can be severe. Once information such as names, addresses, and phone numbers circulates on illegal online markets it is nearly impossible to retrieve. The risk of targeted scams can last for years. Cybersecurity specialists advise affected users to monitor their accounts, avoid clicking unknown links, and verify every unexpected phone call by contacting official customer service channels directly.

The Coupang incident highlights the fragile nature of digital trust in a society that depends heavily on online platforms. South Korea’s digital infrastructure is sophisticated and fast, but this convenience also means personal data is stored in concentrated systems where a single breach can affect tens of millions. The country now faces important questions about corporate responsibility, government oversight, and the balance between rapid technological growth and the safety of personal information. The investigation is ongoing. As authorities continue to review the case and consider stronger legal measures, the Coupang data leak stands as a significant reminder that digital convenience must be matched with equally strong protections. Until clearer answers emerge, many in South Korea and abroad will be watching closely to see how the nation responds to one of its most consequential cybersecurity failures.

#Coupang #KISA #ICT #globalposts