Coupang data breach exposes personal information of 33.7 million

South Korea’s largest e-commerce company, Coupang, has suffered an unprecedented data breach affecting 33.7 million users. Sensitive information, including names, phone numbers, home and delivery addresses, email addresses, and the last five orders, was accessed without authorization. Given the scale and sensitivity of the data, the incident is being called the worst personal data breach in South Korean history.

The breach reportedly began on June 24, but Coupang did not discover it until November 18. Failing to detect such a massive leak for five months suggests the company’s internal data protection system was ineffective. Coupang suspects a former Chinese employee accessed customer information through an overseas server. Police investigations are ongoing, but if a single employee could access nearly all customer data, the access control system clearly failed.

It is unclear how the initially reported 4,500 affected accounts surged to 33.7 million in just nine days. Coupang said additional leaks were uncovered during the investigation, but a full inquiry is needed to determine whether the company tried to conceal or downplay the incident. The company maintains that payment and login information were not compromised, so no account-related action is required. Experts warn this assessment is overly complacent, and further investigation could reveal additional leaked data, increasing the potential for harm.

Even the currently confirmed leaks raise serious concerns about secondary damage. If delivery information included building entry codes, it could lead to stalking or home intrusion. Phishing scams disguised as victim inquiries, compensation offers, refunds, or app updates are also expected to increase. Coupang should adopt a proactive and responsible approach to prevent further harm, rather than merely issuing warnings about fraudulent calls and messages.

This year alone, large-scale breaches occurred at SK Telecom, affecting 23.24 million users, and Lotte Card, affecting 2.97 million users. Coupang, SK Telecom, and Lotte Card all hold the government-certified ISMS-P information security certification, yet none were able to prevent leaks. Authorities should use this incident to fully review the now-ineffective certification system and implement practical, effective reforms.