Half the Nation, Fully Exposed: Coupang Faces Fallout Over Security Failure

South Korean e-commerce giant Coupang has disclosed a major data breach involving approximately 33.7 million customer accounts, making it one of the most significant personal data leaks in the country’s history.

Initially detected in November 2025 when unusual activity was noticed on just 4,500 accounts, the company’s deeper investigation later uncovered a much larger breach that had begun almost five months earlier, in June.

Authorities now believe the breach was carried out using access credentials left active by a former Coupang employee, who had previously worked on the platform’s authentication systems. Investigators found that the intruder exploited expired cryptographic signing keys to bypass internal security controls, gaining access to sensitive customer records.

The breach has triggered public outrage and official investigations by South Korea’s data regulators and police agencies.

Why It Matters: Regulatory authorities are now investigating whether the company failed to comply with national data protection laws, which could result in record-setting fines. The incident has also dealt a major blow to public confidence in how companies handle and protect personal information.

• Vast Scope of Impact: The breach affected more than half of the country’s total population. Coupang had initially reported that just 4,500 users were impacted, but subsequent analysis revealed that the exposure was far more widespread. This miscalculation has raised questions about the company’s internal monitoring capabilities and its ability to detect and respond to threats in a timely manner.

• Specific Data Compromised: Although financial data such as credit card information and account passwords were reportedly not accessed, the breach did expose personal information that can be used for fraudulent purposes. The leaked data includes users’ full names, phone numbers, email addresses, shipping addresses, and some order histories. Experts have warned that this type of data is sufficient for scammers to carry out phishing campaigns and impersonation fraud, especially when presented with legitimate-seeming order histories.

• Cause and Method of Intrusion: The attack was made possible by Coupang’s failure to revoke cryptographic signing keys belonging to a former employee. These digital keys were used to generate fake login tokens that bypassed authentication systems, allowing the attacker to log in from overseas locations without triggering standard alerts. The method points to serious weaknesses in Coupang’s employee offboarding procedures and infrastructure security, particularly regarding access to critical system components.

• Legal and Financial Exposure: Coupang could face financial penalties as high as ₩1 trillion (about $680 million USD) under South Korea’s Personal Information Protection Act, depending on the outcome of regulatory investigations. Authorities are assessing whether Coupang failed in its legal duty to implement sufficient safeguards. If confirmed, this would far surpass any previous fine issued for data privacy failures in the country and could set a new standard for corporate accountability in the tech sector.

• Public and Regulatory Backlash: The reaction from South Korean media and watchdog groups has been fierce. Major newspapers have condemned the company for allowing such a wide-scale breach to go unnoticed for months. Critics have called for tighter enforcement of privacy laws and stricter consequences for companies that mishandle personal data. Coupang has faced similar breaches in the past, and this recurrence has further eroded public trust, prompting customers to remain alert to potential scams involving their personal data.

Go Deeper -> Coupang Data Breach Exposed Personal Records of 33.7 Million Customers – Cyber Press

E-commerce platform breach exposes nearly 34 million customers’ data – BBC

Korea’s Coupang says data breach exposed nearly 34M customers’ personal information – TechCrunch