South Korea's e-commerce giant Coupang just disclosed a massive data breach that exposed personal information from 33.7 million customer accounts - nearly a quarter of the country's population. The breach ran undetected for over five months before the company caught it in November, making it one of the largest cybersecurity incidents in Korean corporate history.
Coupang, South Korea's answer to Amazon, just confirmed what cybersecurity experts are calling one of the most significant data breaches in Korean corporate history. The e-commerce giant revealed that hackers accessed personal information from 33.7 million customer accounts - that's roughly two-thirds of South Korea's entire population.
The company first noticed something was wrong on November 18 when it detected unauthorized access to 4,500 user accounts. But as investigators dug deeper, they uncovered a much larger problem that had been festering since June. According to Coupang's official statement, the breach compromised customer names, email addresses, phone numbers, shipping addresses, and order histories.
The good news? Payment information, credit card numbers, and login credentials weren't touched. "More sensitive data like payment information, credit card numbers, and login credentials was not compromised and remains secure," the company told investors and customers over the weekend.
Coupang moved quickly once it discovered the full scope of the breach. The company immediately reported the incident to Korea's Internet Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency. They've also brought in external security experts to strengthen their defenses and block the unauthorized access route.
The timing couldn't be worse for Coupang, which went public on the New York Stock Exchange in 2021 and has been aggressively expanding across Asia. The company operates its signature "Rocket Delivery" service in South Korea and runs marketplaces in Japan and Taiwan. A company spokesperson confirmed to TechCrunch that the investigation found no evidence of compromise in their Taiwan or international operations.
What's particularly troubling is how the attackers got in. "According to the investigation so far, it is believed that unauthorized access to personal information began on June 24, 2025, via overseas servers," Coupang revealed in their incident report. The five-month window suggests sophisticated attackers who knew how to stay under the radar.
