Coupang Data Breach Exposes 33.7 Million South Korean Customer Accounts

Coupang said on November 30, 2025 that unauthorized access had exposed personal information from roughly 33.7 million customer accounts in South Korea. The company reported discovering the incident on November 18, and said the intrusion appears to have started on June 24, creating an exposure window of roughly five months. Coupang notified authorities and said investigations are ongoing with law enforcement and regulators.

According to the company disclosure, the compromised fields included names, email addresses, phone numbers, shipping addresses and certain order history data. Coupang emphasized that payment card details and login credentials were not accessed. The company said the unauthorized access appears to have originated via overseas servers. It warned affected customers to be vigilant for phishing and social engineering attempts and said it is notifying users and planning remediation steps.

The scale of the exposure is striking in a country of roughly 51 million people. At approximately 33.7 million affected accounts, the incident would rank among the largest consumer data exposures in the region this year if forensic teams and regulators confirm the full scope. Coupang is a near ubiquitous presence in South Korean ecommerce, a dominant logistics operator and a major employer, which magnifies potential consumer and regulatory fallout.

The immediate consequences will be measured along several axes. First, regulators will assess whether the company complied with Korea's data protection rules and whether further penalties or mandated remedial measures are warranted. The Personal Information Protection Commission and other authorities typically investigate major breaches to determine responsibility and to consider sanctions, enforcement orders or required consumer relief.

Second, the incident could have commercial repercussions. Loss of consumer trust can depress usage of an online platform, increase customer acquisition costs, and shift market share toward rivals. For a company that relies on repeat transactions and subscription services, erosion of trust may translate into measurable revenue effects. Investors and lenders will be attentive to potential costs for notification, forensic analysis, legal exposure and accelerated cybersecurity investment.

Third, the cross border aspects of the intrusion underscore challenges for multinational investigations and the policing of servers and actors operating outside national borders. Cooperation between South Korean authorities and foreign counterparts will be central to tracing the origin and intent of the breach, and to recovering data or prosecuting perpetrators if they are identified.

Longer term, the breach reinforces a broader trend in which consolidation of consumer data at large platforms creates systemic vulnerabilities. Policymakers in Seoul and elsewhere have already been moving toward tougher rules on data minimization, incident reporting and platform accountability. A high profile breach of this scale is likely to accelerate those policy debates and could spur new requirements for audits, third party oversight and higher standards for encryption and access controls.

Coupang's next steps will be critical. Thorough forensic findings, transparent disclosure of the full scope, and measurable actions to protect customers will shape regulatory outcomes and the company's ability to restore confidence in the months ahead.