Korea-based ecommerce platform Coupang has detected a data breach that leaked almost 34 million Korean customers’ personal information.
The breach has allegedly been going on for five months, when the company first detected the unauthorised exposure of 4,500 user accounts on November 18. A subsequent investigation revealed that the breach in fact compromised about 33.7 million customer accounts in South Korea.
The investigation and suspects
The breach revealed customers’ names, email addresses, phone numbers, shipping addresses, and order histories, according to the company. Sensitive information such as payment information, credit card numbers, and login credentials was not compromised and remains secure.
Coupang reported the incident to the Korea Internet & Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency. A company representative said that the investigation found no conclusive evidence that consumer data from Coupang Taiwan or Rocket Now was affected in the data breach.
Rocket Now is a food and restaurant delivery service offered by Coupang, which leverages the company’s logistics and technology and also operates in other markets such as Japan and Taiwan. The police allegedly already identified a suspect, a former Chinese Coupang employee now abroad, after launching the investigation.
The company believes that unauthorised access to personal data began on June 24, 2025, via overseas servers, according to the ongoing investigation. It blocked the unauthorised access route, improved internal monitoring, and retained experts from an independent security firm.
This event is the latest in a series of cybersecurity incidents in South Korea this year. The country is reeling from a string of high-profile hacks, affecting credit card companies, telecoms, tech startups, and government agencies. In many cases, regulators appeared to scramble in parallel, sometimes deferring to one another rather than moving in unison. Coupang itself suffered multiple data breaches that exposed delivery drivers and customers’ information before. Past incidents include leaks between 2020 and 2021, and most recently in December 2023.
