Coupang reports data breach affecting 33.7 million users

South Korea’s largest e-commerce company, Coupang, reported a data breach affecting 33.7 million users. The leak exposed the personal information of roughly three out of every four South Korean adults. Authorities say the breach was likely caused by an internal employee rather than external hackers and suspect a former Chinese staff member who has already left the company. Coupang reportedly did not detect the leak for five months, drawing criticism that its rapid growth came at the expense of customer data protection.

On Nov. 30, Coupang said it notified the Personal Information Protection Commission on Nov. 29 that 33.7 million customer accounts had been exposed without authorization. With 32 million monthly active users, the breach effectively compromised nearly all customer accounts.

Earlier, on Nov. 18, Coupang discovered that 4,500 customer records had been exposed without authorization and reported the incident to the Personal Information Protection Commission on Nov. 20. Follow-up investigations later confirmed that the large-scale leak had been ongoing since June 24. Although the theft of customer information began five months earlier, the company remained unaware during that period. A commission official said, “Coupang only discovered the breach after consumer complaints were filed and verified. Without customer reports, the company likely would still be unaware.”

Coupang has filed a complaint with the Seoul Metropolitan Police Agency’s cyber investigation unit. The complaint does not name a suspect, listing the perpetrator as “an unidentified individual.” However, the incident report submitted to the Personal Information Protection Commission reportedly includes details suggesting the involvement of a former Chinese employee.

The Personal Information Protection Commission, together with the Ministry of Science and ICT, has launched a formal investigation through a joint public-private task force. Police have also opened a probe to determine how the leak occurred. The Seoul cyber investigation unit said on Nov. 30 that it had received Coupang’s complaint, secured related evidence and was analyzing the materials. On the same day, Coupang released an apology letter signed by CEO Park Dae-joon, stating, “We apologize for causing concern and inconvenience,” and adding, “We will do everything we can to prevent further damage.”

“Typically, employees have access only to the specific data sets for which they are authorized,” said Lee Sang-jin, a professor at Korea University’s Graduate School of Information Security. “The fact that a single employee repeatedly accessed such a large amount of data shows that internal monitoring and management were insufficient.”


이소정 기자 sojee@donga.com