In what experts are calling one of the most serious data breaches in South Korea’s history, Coupang, the nation’s largest eCommerce platform, announced that personal details of 33.7 million customers were exposed following a cyberattack that began months ago.
The company often dubbed the “Amazon of South Korea” disclosed that the breach originated through overseas servers in June 2025 but wasn’t detected until mid-November. Coupang said the compromised data includes names, email addresses, phone numbers, shipping addresses, and some order histories, but assured customers that payment details and passwords were not affected.
Coupang confirmed the incident on Nov. 29, describing it as a “significant security event” and immediately reported it to South Korean regulators and law enforcement.
Scope of the Breach: 34 Million Accounts Impacted
The numbers are staggering. Coupang revealed that approximately 33.7 million customer accounts were affected a figure nearly identical to its entire user base in South Korea.
| Category | Details |
|---|---|
| Total Affected Accounts | 33.7 million (nearly all Coupang customers) |
| Data Exposed | Names, phone numbers, email addresses, delivery addresses, partial order history |
| Unaffected Data | Payment details, passwords, and financial information |
| Breach Detected | November 18, 2025 |
| Initial Unauthorized Access | Estimated in June 2025 |
| Reporting Date | November 29, 2025 |
According to a report by the Korea Economic Daily, this event represents “the biggest crisis in Coupang’s corporate history.” The company has since launched a full forensic investigation to determine how hackers infiltrated its systems.
How the Attack Happened?
While Coupang has not yet disclosed full technical details, early findings suggest the breach originated from foreign IP addresses and exploited vulnerabilities in data access controls linked to the company’s logistics and customer management systems.
Investigators believe the hackers gained access to Coupang’s user database via overseas servers before exfiltrating customer information in phases over several months.
“Coupang became aware of the unauthorized access on November 18 and immediately took steps to secure its systems,” a company spokesperson said. “We are fully cooperating with the authorities and cybersecurity experts to identify the cause and prevent future incidents.”
South Korea’s Cybersecurity Response
The Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission (PIPC) have both launched investigations into the breach. Regulators said they will examine Coupang’s compliance with South Korea’s Personal Information Protection Act (PIPA) one of the world’s strictest privacy laws.
If found negligent, Coupang could face significant penalties, including fines up to 3% of its annual revenue and potential civil actions from affected users.
“Given the scale and nature of this incident, this could serve as a turning point in South Korea’s data protection enforcement,” said Jae-Min Kim, a Seoul-based cybersecurity attorney. “It underscores the need for stronger oversight of eCommerce data handling.”
Coupang’s Response and Customer Assurance
Coupang said it is taking immediate steps to secure systems, alert users, and offer assistance to those affected. The company has launched a dedicated customer support center and begun notifying all impacted accounts via email and app notifications.
In a public statement, Coupang emphasized that no passwords, payment card details, or financial records were exposed, and that it is working with global cybersecurity firms to contain the breach.
“Protecting our customers’ information is our top priority,” the company said. “We sincerely apologize for the concern this may cause and are reinforcing our defenses to ensure this does not happen again.”
The Bigger Picture: Rising Cyber Risks in Asia’s Digital Economy
The Coupang incident is the latest in a wave of large-scale cyberattacks targeting Asia’s rapidly digitizing markets. From Japan to Singapore, hackers have increasingly focused on eCommerce, financial services, and logistics sectors that manage massive amounts of personal data.
According to industry experts, cybercriminals are adapting their tactics in response to the rise of AI-powered automation and data-driven business models.
Eva Nahari, chief product officer at AI solutions firm Vectara, noted that automation has transformed both sides of the security equation:
“With automation comes velocity and scale attackers can now weaponize the same AI capabilities that companies use to protect themselves.”
This new era of “AI-assisted cybercrime” means breaches can happen faster, spread wider, and cause greater damage than before.
A Parallel Threat: AI Manipulation and Cyberespionage
Coupang’s data breach comes just weeks after revelations that a major AI model, Claude Code, was manipulated to execute cyberespionage operations across finance, technology, and government sectors worldwide.
Industry analysts say these developments highlight a dangerous convergence the intersection of AI and cyber risk.
Larissa Schneider, co-founder of AI security firm Unframe AI, said:
“We’re seeing the emergence of model-supply-chain attacks. When an enterprise depends on an external AI model, vulnerabilities can cascade across its systems.”
This expanding threat landscape underscores why regulators and corporations alike are demanding tighter AI governance and continuous validation frameworks, similar to those used in software supply chains.
Lessons for Businesses: Strengthening Cyber Resilience
The Coupang breach serves as a stark reminder for global businesses that cybersecurity is no longer optional it’s existential.
Experts recommend that eCommerce and fintech companies adopt:
- Zero-trust architecture — verifying every data access request.
- Regular penetration testing — simulating real-world attacks.
- Data encryption at rest and in transit — to limit exposure.
- AI-driven anomaly detection — spotting intrusions early.
- Comprehensive incident response plans — to minimize damage and restore trust quickly.
“Cyber resilience isn’t about avoiding every breach,” said Dr. Sun-Ho Park, a Seoul-based cybersecurity consultant. “It’s about detecting fast, containing effectively, and maintaining transparency with customers.”
Conclusion: A Wake-Up Call for Asia’s Digital Giants
The Coupang data breach represents more than a corporate security failure it marks a pivotal moment in Asia’s digital transformation. As eCommerce giants handle unprecedented amounts of personal data, their ability to protect, detect, and respond to threats will define public trust in the digital economy. For Coupang, a company that revolutionized South Korea’s retail landscape, the next challenge lies not in rebuilding sales but in rebuilding confidence. The incident may well serve as a global warning: in the era of AI and automation, data is gold and it’s under attack.
FAQs
What customer data was exposed in the Coupang breach?
Names, email addresses, phone numbers, delivery addresses, and some order history. No financial or login credentials were compromised.
When did Coupang discover the breach?
The company detected unauthorized access on November 18, 2025, but believes the breach began around June 2025.
How many users were affected?
Approximately 33.7 million customers, nearly Coupang’s entire South Korean user base.
Is Coupang offering compensation or protection?
Coupang has not announced compensation but is providing customer assistance and ongoing security updates.
Could this breach affect Coupang’s operations in other countries?
While the company said the breach is limited to Korean users, global regulators may scrutinize its international data management practices.