South Korea’s largest online retailer, Coupang, has apologised following a massive data breach that may have exposed the personal information of nearly 34 million local customers. The incident is under investigation by the country’s internet authorities, who say details from millions of accounts are likely to have been compromised.
The e-commerce platform, often referred to as South Korea’s equivalent of Amazon, initially discovered unauthorised access to around 4,500 customer accounts on 18 November. Subsequent checks revealed that approximately 33.7 million accounts, all within South Korea, may have been affected. Coupang said the breach could have started as early as June via a server located overseas.
Exposed information includes names, email addresses, phone numbers, shipping addresses, and some order histories. Credit card information and login credentials were not accessed, and the company said no immediate action is required from users. The affected accounts represent more than half of South Korea’s population of roughly 52 million, with Coupang reporting nearly 25 million active users.
Coupang apologised to its customers and urged them to remain vigilant against scams impersonating the company. The firm did not provide details on the identity of the perpetrators, though South Korean media reported that a former Coupang employee from China is suspected to be involved.
Authorities are reviewing the scale of the breach and assessing whether Coupang violated any data protection rules. The Ministry of Science and ICT said that, due to the large number of citizens affected, the commission plans to conduct a swift investigation and impose strict sanctions if safety regulations under the Personal Information Protection Act were breached.
This is not the first time Coupang has faced cyber-security challenges. Previous incidents include a breach exposing the data of 460,000 customers. The latest incident has drawn harsh criticism from local media. The editorial board of Chosun Ilbo described the breach as “preposterous” and called for strong sanctions, while Dong-A Ilbo labelled it “the worst personal data leak” in South Korean history, questioning the effectiveness of Coupang’s internal data protection systems.
The incident is the latest in a series of cyber-attacks affecting major South Korean companies this year, despite the country’s strict data privacy regulations. In a high-profile case, SK Telecom, the nation’s largest mobile operator, was fined nearly $100 million over a breach affecting more than 20 million subscribers. In September, credit card firm Lotte Card reported a cyber-attack that exposed the data of nearly three million customers.
The scale of the Coupang breach highlights ongoing concerns about cyber-security and data protection in South Korea, where public trust in corporate handling of personal information is increasingly under scrutiny.
