SEOUL — South Korean police on Monday said they have begun a formal investigation into what may be the worst customer data leak in the country’s history, after over 33 million users of Coupang had their personal information exposed.
Authorities are tracing IP addresses and probing possible technical vulnerabilities as they seek to confirm how the breach occurred.
Coupang, South Korea’s largest e‑commerce platform, disclosed that names, email addresses, phone numbers, shipping addresses and certain order histories were compromised though payment details and login credentials remained secure.
The company said the breach likely began on June 24 but went undetected until a routine internal security check in November. The leak affects more than 33 million customers nearly two thirds of the country’s population.
The breach has drawn sharp criticism from government officials who cautioned that such a massive exposure reflects deeper systemic issues in personal data protection nationwide.
South Korea has seen a surge in large scale data incidents in recent years. In August, the country’s largest mobile carrier, SK Telecom, was fined after a cyberattack exposed information for nearly 27 million users. With the Coupang leak, a fourth major data disclosure since 2021 has renewed concerns.
“The scale of this breach is unprecedented in South Korean e‑commerce,” said Lee Min‑joon, a cybersecurity analyst at the Seoul Institute for Digital Security. If confirmed that the leak originated through authentication vulnerabilities, it underscores both technical and organisational lapses.
Officials from the Ministry of Science and Technology have suggested that the breach exploited “authentication vulnerabilities” in overseas servers, adding that investigators will examine whether Coupang failed to comply with personal information protection laws.
Kim Hyun‑soo, a former network engineer turned data privacy consultant, said that breaches of this magnitude often stem from inadequate access controls and poor off boarding protocols when employees leave.
“It is common for old credentials to linger in peripheral systems. If not revoked immediately especially for overseas servers former staff could retain access,” Kim explained.
More than 33 million individuals affected by the Coupang data breach. Nearly 27 million users were impacted in a separate 2025 leak at SK Telecom.
Over four major leaks since 2021, pointing to systemic privacy vulnerabilities. By comparison, earlier cyberattacks that hit smaller firms exposed data on a few hundred thousand users.
The repeated nature of large scale leaks has triggered alarm among regulators and the public alike. Lee Ji‑woo, a frequent customer of Coupang in Busan, said she only learned of the breach through media reports.
“I ordered groceries just last month. It’s unsettling to think my personal information could be floating somewhere even if my payment info was safe.”
Another user, Park Dong‑hyun, speaking anonymously on an online forum, said he feared identity theft. “Many people reuse contact details and addresses for other services.
This leak could affect more than just shopping it could affect our entire digital identity.” Meanwhile a group of more than 10,000 users reportedly signed up for a possible class‑action lawsuit against Coupang.
A lawyer representing the plaintiffs said each claimant could demand more than 100,000 won (about 68 US dollars), a symbolic amount but potentially substantial when multiplied by thousands.
A spokesperson for Coupang declined to confirm details about possible suspects or to comment on whether the former employee allegedly involved would face criminal charges.
Police also declined to provide a timeline for concluding the probe. Experts and officials suggest the Coupang data breach may serve as a wake up call for Korea’s broader data security framework.
Government advisors are discussing enhancements to punitive damages laws, so companies risk greater financial consequences for failing to safeguard personal information.
Some privacy advocates hope the leak will accelerate reforms in corporate governance and access control practices. This has to be the turning point, said Park Eun‑ji, director at the Digital Rights Collective in Seoul.
“Companies must adopt zero‑trust models and government must impose stricter compliance audits.” At the same time, the reputational damage to Coupang could be long lasting.
Some customers may shift to more conservative or smaller marketplaces, while regulators may demand comprehensive external audits before allowing such platforms to expand into food delivery, fintech or streaming areas where Coupang has been aggressively growing.
The Coupang data breach represents one of the largest exposures of personal information in South Korean history.
As police trace IP addresses and investigate technical vulnerabilities, the incident has reignited national debate over data privacy safeguards and corporate accountability.
While customers await clarity and potential redress, regulators and industry watchers will closely monitor whether this episode leads to meaningful reform or becomes yet another marker of systemic failure in personal information protection.
