The breach at Coupang, an e-commerce giant, is one of the largest in South Korea’s history, leading to speculation and criticism from the government.
What happened
According to Cyber Press, the South Korean e-commerce company, Coupang, recently faced a breach impacting approximately 33.7 million customers. Nearly everyone in Coupang’s user database was impacted.
Coupang’s notice stated that the breached information included names, phone numbers, email addresses, shipping addresses, and complete order histories. No credit card numbers, payment information, or account passwords were accessed.
Going deeper
The incident first began on June 24th, 2025, but Coupang was unable to detect it until November 18th, 2025. At the time, the company believed only 4,500 users had been impacted, but a second internal security review showed that the scale of the attack had been much more significant.
The breach is believed to be the fault of a former employee who had worked with the company’s authentication systems. The individual was able to exploit several digital cryptographic tools that assist with identity verification because his signing keys had not been revoked when he left the company. The unrevoked tokens allowed the user to log in from overseas, without ever triggering security alerts. The threat actor also
What next
The Seoul Metropolitan Police Agency is continuing to actively investigate the breach by examining Coupang’s server logs and working with international partners.
The incident has also sparked calls for increased penalties for corporate negligence, according to Reuters.
South Korean President Lee Jae Myung said it was “astonishing” that the company did not detect the breach. “The wrong practice and the idea of not giving necessary care for personal data protection, which is a key asset in the age of artificial intelligence and digitalization, must be completely changed.”
Currently, South Korean law fines companies that fail to meet data protection requirements up to 3% of their revenue, which could result in a fine of $1 million won, approximately $680 million USD.
The big picture
While this was a massive incident, it’s far from the only breach that was caused by negligence. The Office of Civil Rights’ Director, Mealnie Fontest Rainer, has noted that healthcare organizations need to proactively check for vulnerabilities, stating, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”
According to the Carnegie Mellon University Software Engineering Institute, insider threats continue to be a major challenge, “More than half of insider fraud incidents within the healthcare sector involve the theft of customer data. As Coupang wrestles with the fallout of this incident, it’s imperative that organizations consider their protocols for former employees to ensure that losing an employee does not become a liability.
FAQs
Could a similar breach happen in the US?
Yes, it’s possible that a breach like this could happen in the United States, as the breach was caused by negligence and the failure to revoke access to sensitive materials.
Will Coupang face any other repercussions for the breach?
Outside of the likely fine, Coupang may also face a class action lawsuit, as well as weakened customer trust.
Abby Grifno
