Unraveling South Korea’s Largest Data Breach: The Coupang Incident and Its Far-Reaching Impact

1. Summary

• In late November 2025, Coupang, a leading South Korean e-commerce platform, disclosed a monumental data breach that compromised the personal information of over 33.7 million customer accounts, an alarming figure that represents nearly two-thirds of South Korea's total population. The breach was initially detected during a routine audit when unusual activities were reported on approximately 4,500 customer accounts. However, further forensic investigations revealed that the incident had actually begun months earlier, in June 2025, highlighting significant inadequacies in the company’s cybersecurity practices. The compromised data included sensitive details such as names, phone numbers, hashed passwords, and partial addresses, setting off alarm bells regarding privacy and security in the digital landscape. While no full payment card information or bank credentials were accessed, there were indications of potential token misuse tied to mobile payments, raising concerns over identity theft and financial fraud.

• The technical investigations revealed that the breach was facilitated by an unpatched vulnerability in an internal API, exploited by attackers to gain unauthorized access to Coupang’s systems. This incident served as a clarion call for urgent reforms in security architecture, specifically emphasizing the need for enhanced oversight and rigorous practices in managing user authentication systems. The investigation further underscored a pronounced insider threat, linked to a former Coupang employee who had maintained unauthorized access credentials after leaving the company in 2024. Such failures in authentication key management can serve as a critical lesson for other organizations, illustrating how a single overlooked vulnerability can lead to vast consequences.

• In the wake of the breach, Coupang underwent significant corporate restructuring, highlighted by the resignation of CEO Park Dae-jun and the appointment of Harold Rogers as interim CEO. This leadership change was necessitated by public outcry and a compelling need for accountability. Following the breach, the company faced severe stock volatility, with shares falling nearly 17%, prompting potential legal investigations into corporate governance and individual accountability. This incident has also prompted South Korean regulators to initiate formal investigations while convening emergency hearings to enhance oversight policies. The creation of an interagency task force further emphasizes the government's commitment to tackling systemic cybersecurity challenges and enhancing consumer protection measures.

• As a direct consequence of this breach, consumer trust has been severely shaken, with reports indicating a spike in fears over phishing and identity theft. Small businesses reliant on Coupang for sales have experienced significant revenue drops, while customers have begun actively checking if their personal data is being sold on the dark web. The Coupang incident underscores the pressing need for reinforced cybersecurity measures and the development of robust frameworks that prioritize consumer education, data protection, and incident response strategies across the digital economy.

2. Scope and Initial Discovery of the Breach

• 2-1. Timeline of breach detection

• The timeline of the Coupang data breach reveals a complex evolution of detection and investigation. Initial signs of the breach were noted in November 2025, when Coupang observed unusual activity on approximately 4,500 customer accounts. However, a deeper forensic investigation uncovered that the breach had actually commenced nearly five months earlier, in June 2025. This delay in detection underscores the challenges faced by organizations in proactively monitoring for insider threats and compromised accounts in high-traffic platforms like Coupang.

• Following the identification of anomalies in data access, which were primarily detected during a standard internal audit, Coupang promptly initiated an investigation. It was during this inquiry that investigators pinpointed the major breach resulting in data exposure. The company officially disclosed the breach to the public on December 1, 2025, escalating an already growing concern over digital security in South Korean e-commerce.

• 2-2. Scale of compromised data

• The scale of the Coupang data breach was significant and alarming, with approximately 33.7 million customer accounts affected. This represents a substantial demographic impact, as it accounts for nearly two-thirds of South Korea's population. Compromised data included sensitive personal information such as full names, phone numbers, hashed passwords, partial addresses, and order histories. Notably, although no complete payment card numbers or bank account credentials were accessed, there were indications that attackers had viewed tokens related to mobile payments, hinting at potential misuse.

• The breach's ramifications extend beyond immediate security concerns; it increases the risk of phishing scams and identity fraud as threat actors may leverage exposed data for targeted social engineering attacks. The enormity of this incident has not only drawn the ire of the public but has also triggered a formal investigation by South Korea’s data regulatory bodies to assess Coupang’s compliance with national data protection laws.

• 2-3. Technical modus operandi

• Investigators have identified that the breach was facilitated through an unpatched internal API flaw, connecting user authentication systems with logistics management modules. Attackers exploited this vulnerability to gain initial access to the network, allowing them to escalate privileges and navigate laterally within Coupang's digital infrastructure. This exploitation reportedly occurred between November 17 and November 29, 2025.

• Once inside, the attackers were able to exfiltrate sensitive customer data, ultimately leading to extensive exposure. Coupang realized the magnitude of the breach when unusual data transfer patterns coincided with unauthorized login attempts that aligned with the stolen credentials. This incident highlights the critical need for regular security audits, continuous monitoring, and rigorous API management practices to prevent similar breaches in the future. The breach exemplifies how a single unaddressed vulnerability can lead to widespread data compromise across significant consumer platforms.

3. Investigation and Attribution

• 3-1. Insider threat findings

• The investigation into the Coupang data breach revealed a pronounced insider threat, primarily attributed to a former employee's continued access to internal systems after leaving the company. According to reports from the Seoul Metropolitan Police Agency, the breach, which compromised the personal information of approximately 33.7 million customers, was traced back to a 43-year-old former engineer who had worked on authentication management systems. Despite having exited the company in 2024, he allegedly retained access credentials that facilitated unauthorized access to Coupang’s systems, culminating in a breach that ranks as the most severe cybersecurity incident in South Korean history.

• Authorities noted that the breach began on June 24, 2025, yet it remained undetected by Coupang until November 18, 2025. This delay in discovery underscores significant failings in security protocols, particularly concerning the management of authentication keys. Investigators emphasized that the weak management of these keys, which are crucial for access control systems, allowed an individual with prior clearance to exploit vulnerabilities and access sensitive customer data.

• 3-2. Role of ex-employee

• The former employee at the center of the Coupang breach played a pivotal role in the unfolding of this incident. He had originally joined Coupang in November 2022 and had been involved in the company's authentication management processes. It is believed that after his departure, he maintained access rights that he exploited to leak customer information. According to police reports and analysis from cybersecurity experts, this situation highlights not only the risk of insider threats but also systemic failures within Coupang's internal security policies concerning access management.

• Investigations revealed that the ex-employee targeted the company while operating from overseas servers, effectively bypassing required security protocols. This not only accentuates the importance of timely revocation of access rights following an employee's departure but also indicates a broader issue of lax adherence to security measures that should prevent unauthorized access from former employees. The ramifications of this breach extended beyond Coupang, inciting a wave of phishing attacks that leveraged the compromised data, affecting a large portion of the population.

• 3-3. Causes rooted in authentication key management

• The breach at Coupang can be traced back to critical failures in authentication key management. According to a detailed assessment by authorities, one of the primary issues was the long validity period assigned to authentication keys issued for accessing sensitive data systems. The keys, often valid for 5 to 10 years without the necessary rotations or updates, allowed the former employee to exploit his access, even after his departure from the company. The officials emphasized that such lax security practices not only weakened Coupang’s defenses but also laid the groundwork for exploitation of access control weaknesses.

• In an analogy shared by government officials, the authentication token is likened to an access card, while the signing key is comparable to an authentication stamp that verifies the access card's validity. If the stamp is not regularly updated or renewed, it opens opportunities for misuse. This situation illustrates a critical oversight in Coupang's security infrastructure, where the failures were not merely human errors but were indicative of deeper organizational and structural problems in maintaining robust cybersecurity protocols.

4. Corporate Fallout and Leadership Shake-up

• 4-1. CEO Park Dae-jun’s resignation

• In the wake of the catastrophic data breach that exposed personal information of 33.7 million customers, Park Dae-jun resigned as CEO of Coupang. His resignation was a direct response to the widespread public outcry and subsequent corporate accountability demands triggered by this incident. Park acknowledged his grave responsibility for the breach in a statement, expressing deep regret for disappointing the public and committing to stepping down from all his positions. This leadership change highlights the gravity of the security lapse and indicates a strategic move to reset the company’s governance in light of the severe fallout.

• 4-2. Appointment of interim CEO Harold Rogers

• Following Park's resignation, Coupang's U.S.-based parent company appointed Harold Rogers, the former Chief Administrative Officer, as the interim CEO. Rogers is expected to oversee the immediate crisis management efforts as the company seeks to stabilize operations and regain public trust. His mandate includes addressing customer anxieties regarding data security and navigating the turbulent regulatory landscape arising from the breach. This appointment signals Coupang’s recognition of the need for fresh leadership capable of steering the company through its recovery phase and implementing rigorous cybersecurity enhancements.

• 4-3. Share price volatility and investor investigations

• The data breach had immediate adverse effects on Coupang's stock price, which plummeted nearly 17% following the announcement of the breach, marking significant market volatility. This decline reflected investor trepidation over potential regulatory repercussions and the financial implications of a heightened scrutiny environment. Law firms began investigating Coupang for possible securities fraud, suggesting that shareholders might pursue legal action if corporate officers are found to have failed in their fiduciary duties. The company's significant market valuation coupled with its faltering share prices underscores the critical relationship between cybersecurity practices and investor confidence, as the breach exposed systemic deficiencies in data protection measures that may have long-term ramifications on its financial health.

5. Regulatory and Legislative Response

• 5-1. 8-K disclosure to U.S. regulators

• On December 14, 2025, Coupang Inc. formally disclosed its massive data breach, impacting approximately 33 million customers, to U.S. regulators by filing an 8-K report with the Securities and Exchange Commission (SEC). This disclosure came as tensions mounted due to an impending parliamentary hearing in Seoul regarding the breach. In the report, Coupang stated that it became aware of the cybersecurity incident involving unauthorized access to customer accounts on November 18, 2025, and activated its incident-response procedures immediately. The company reported the incident to relevant Korean authorities and began notifying affected customers about the potential compromise of their data, which included personal details but notably did not include banking information or login credentials. The SEC filing also mentioned that Korean regulators had commenced their own investigations into the breach.

• 5-2. Joint parliamentary hearing in Seoul

• On December 17, 2025, a parliamentary hearing was held to scrutinize Coupang's handling of the data breach. During this session, Harold Rogers, the interim CEO of Coupang, faced intense questioning from lawmakers. The hearing drew criticism due to the absence of founder and chairman Bom Kim, resulting in accusations of disrespect towards the parliament and the public. Lawmakers expressed frustration as needed answers remained elusive. Despite Rogers' assurances of cooperation with ongoing investigations, he failed to address specific measures regarding customer compensation or new data security protocols. This hearing aimed not only to examine the breach itself but also uncovered wider operational issues within Coupang, including labor management concerns and questionable delivery practices, positioning the company at the center of national scrutiny.

• 5-3. Formation of interagency government task force

• In response to the data breach, on December 18, 2025, the South Korean government announced the establishment of an interagency task force to manage the fallout from the incident. Chaired by the Minister of Science and ICT, the task force includes representatives from various government bodies such as the Personal Information Protection Committee and the Financial Services Commission. This strategic formation aims to consolidate efforts in investigating the breach thoroughly and improving accountability measures for Coupang. The task force is set to conduct both regular and ad-hoc meetings to monitor developments in the ongoing investigations and develop regulatory frameworks to prevent future breaches, reflecting the government’s commitment to addressing cybersecurity lapses in major corporations.

6. Impact on Consumers and Small Businesses

• 6-1. Rise in phishing fears

• Following the unprecedented data breach involving Coupang, a significant rise in phishing fears has been reported among South Korean consumers. According to a recent survey conducted by Stealth Solution, nearly 67% of respondents expressed concerns about an increase in phishing attempts immediately after the breach was announced. The survey, which collected data from 1,000 adults between December 12 and 14, found that many individuals, despite their fears of identity theft and financial loss, did not take adequate protective measures. Only 5.1% reported changing passwords across all shopping platforms, highlighting a general reluctance to enhance personal online security even amid widespread anxiety. Instead, a substantial portion of the consumers continued to reuse passwords and credentials, making them more vulnerable to potential attacks.

• 6-2. Spike in dark-web leak inquiries

• In the aftermath of the Coupang data breach, South Koreans began to actively search whether their personal information was being traded on the dark web. Data from the Korea Internet & Security Agency (KISA) indicated a staggering 717% increase in usage of its leak verification service, with over 107,802 searches conducted between November 28 and December 11. This marked shift in consumer behavior reflects growing apprehension over personal safety and data integrity. Furthermore, applications for protective services related to potential identity fraud saw remarkable increases, demonstrating the public's urgency to safeguard their information against further exploitation. These inquiries and protective actions underscore the broader implications of the breach, prompting many consumers to recognize their vulnerability in an increasingly digital marketplace.

• 6-3. Sales decline among platform-dependent vendors

• The data breach has had immediate and profound consequences for small businesses reliant on Coupang for sales. Reports indicate that many vendors experienced significant drops in sales—some exceeding 30% shortly after the breach came to light. Approximately 70% of their online revenue depends on the Coupang platform, and the uncertainty surrounding consumer trust since the breach has shifted some businesses to consider diversifying their sales channels. While vendors in certain sectors like fashion and beauty reported less disruption, the overall sentiment among small merchants is one of vulnerability and concern for future viability. The Korea Federation of Micro Enterprise urged Coupang to take responsibility and implement measures to mitigate the negative impacts on its small business partners, revealing a potential risk of a broader backlash against the platform if trust is not swiftly restored.

7. Broader Cybersecurity Implications

• 7-1. Shifts in crypto-theft patterns in 2025

• The landscape of cryptocurrency-related crime has undergone significant transformations in 2025, marked by a discernible shift towards fewer but more damaging attacks. Over $3.4 billion in digital assets were looted globally, illustrating a trend where a small number of high-value incidents contributed disproportionately to total losses. Notably, the March 2025 hack of the Bybit exchange alone accounted for approximately $1.5 billion of that total. According to Chainalysis' report, the top three service-level hacks represented a staggering 69% of all losses suffered that year. This trend critiques traditional security models that focus primarily on reducing the frequency of incidents rather than stabilizing the impact of individual breaches. In an environment where major thefts can significantly affect the entire market, strategies need to focus on mitigating systemic risks rather than merely preventing low-frequency attacks.

• The operational methodologies behind these thefts have evolved; North Korea-linked cybercriminals, for instance, adopted sophisticated tactics that enable them to execute large-scale operations with reduced chances of detection. By infiltrating IT departments within crypto exchanges and related entities, they capitalize on insider access to maximize their thefts. This exemplifies the urgent need for enhanced security protocols that not only guard against external threats but also address vulnerabilities from within organizations.

• 7-2. Emerging AI-enabled attack vectors

• The rise of artificial intelligence in cybersecurity has introduced new dimensions to both offensive and defensive strategies. Reports have surfaced indicating that AI tools are increasingly exploited for cyberattacks, with notable incidents such as Chinese actors using AI models to enhance their hacking capabilities. According to testimonies presented at a recent congressional hearing, AI tools have allowed attackers to automate as much as 80-90% of their attack chains, resulting in operations that are executed at speeds far exceeding human capabilities. This growing reliance on automated processes raises significant concerns regarding the resilience of current cybersecurity frameworks.

• Policymakers are addressing these challenges, noting that as AI technologies become intertwined with cyberattack strategies, existing defenses struggle to evolve at a comparable pace. Companies are realizing the necessity to adapt AI in their security measures actively; for instance, deploying AI-augmented tools to identify vulnerabilities and defend against AI-driven attacks is becoming increasingly critical. The potential for AI to supercharge hacking efforts underscores the pressing need for comprehensive strategies that encompass not just the use of AI but also the formulation of regulatory frameworks to govern its application in cybersecurity.

• 7-3. Industry adoption of advanced fraud detection

• The urgency following incidents like the Coupang data breach has spurred many industries to adopt advanced fraud detection technologies at an accelerated rate. Organizations have increasingly recognized that static security measures are insufficient in today's rapidly evolving cyber landscape. As evidenced by new strategies, companies are now prioritizing real-time monitoring and adaptive response mechanisms that utilize machine learning algorithms and behavioral analytics to detect and respond to anomalies indicative of fraudulent activities.

• Moreover, the alarming patterns of crypto theft and the utilization of AI for attacks have catalyzed investments in collaborative defenses. Organizations within the cybersecurity ecosystem are pooling resources and intelligence to counteract threats more effectively. This shift represents a broader industry trend where the boundaries between competitors start to blur, emphasizing the shared responsibilities for cybersecurity. As these advanced technologies are integrated, the challenge remains not only to implement them effectively but also to ensure they are adaptable to the ever-changing tactics employed by cybercriminals.

Conclusion

• The Coupang data breach has unveiled critical vulnerabilities in key management and insider access controls, raising essential questions about the integrity of cybersecurity protocols in major corporations. The ramifications of such a high-profile incident extend well beyond Coupang itself and have ignited a broader conversation about corporate responsibility and regulatory frameworks in South Korea and beyond. As businesses grapple with the fallout, the requirement for rigorous oversight and transparent accountability measures has never been clearer. Moving forward, organizations must not only overhaul their internal security practices but also engage in proactive communication with consumers to fortify trust that has been eroded by such events.

• There is a compelling need for the integration of zero-trust models and continuous threat monitoring systems into the operational fabric of digital businesses. These methodologies not only provide better frameworks for guarding against future breaches but also support a holistic approach to cybersecurity that includes employee training and consumer education. The evolution of attacks—particularly those leveraging insider knowledge—emphasizes the importance of multispectral security strategies that coalesce advanced technology with sound human practices.

• Looking ahead, the upcoming initiatives by regulatory bodies and industry stakeholders will be crucial in shaping a more resilient digital landscape that can withstand evolving cyber threats. The implications of the Coupang incident are noteworthy; it signals an imminent shift in how personal data is safeguarded and how organizations respond to vulnerabilities in their systems. As the cybersecurity landscape continues to transform, a collaborative approach that fosters public-private partnerships can be instrumental in developing innovative solutions and legislative frameworks that protect consumer interests while fostering a secure digital economy.

Glossary

• Coupang: Coupang is a prominent South Korean e-commerce platform known for its fast delivery services and vast product selection. As of December 2025, it has faced significant scrutiny following a major data breach that leaked personal information for approximately 33.7 million customers, prompting widespread public and regulatory responses.

• Data Breach: A data breach refers to an incident where unauthorized access is gained to sensitive or confidential data. In the context of the Coupang incident, it involved the exposure of personal information of millions of customers, raising alarms about privacy and security practices in the digital economy.

• Personal Data: Personal data encompasses any information that can be used to identify an individual, such as names, addresses, phone numbers, and hashed passwords. The Coupang breach highlighted the vulnerabilities associated with the protection of such data and its potential misuse.

• Regulatory Response: Regulatory response refers to actions taken by government bodies to address compliance and oversight issues following an incident like a data breach. In this case, South Korean regulators initiated investigations into Coupang's handling of customer data and data protection practices.

• Insider Threat: An insider threat is a security risk that originates from within the organization, often involving employees or former employees with authorized access to systems. The Coupang breach was exacerbated by an insider threat connected to a former employee who retained access credentials after leaving the company.

• API (Application Programming Interface): An API is a set of protocols and tools that allow different software applications to communicate with each other. In the Coupang breach, attackers exploited an unpatched vulnerability in an internal API to gain unauthorized access to the company's systems.

• Phishing: Phishing is a form of cyberattack where malicious actors impersonate legitimate entities to deceive individuals into providing sensitive information. Following the Coupang data breach, there was a notable increase in phishing attempts targeting consumers concerned about their exposed data.

• Dark Web: The dark web refers to a part of the internet that is not indexed by standard search engines and is often associated with illegal activities, including the sale of stolen data. Post-breach, many users searched for their personal information on the dark web, reflecting heightened fears of identity theft.

• Task Force: A task force is a group of experts assembled to address a specific problem. The South Korean government formed an interagency task force in December 2025 to investigate the Coupang data breach and improve regulatory measures in response to the incident.

• Cybersecurity: Cybersecurity refers to the practices and technologies designed to protect systems, networks, and data from cyber threats. The Coupang breach raised significant concerns regarding the company's cybersecurity measures and their effectiveness in safeguarding consumer information.

• Public Trust: Public trust refers to the confidence consumers have in a brand or organization to protect their personal information and act responsibly. The Coupang incident severely impacted public trust, especially in relation to consumer data protection.

• Harold Rogers: As of December 2025, Harold Rogers serves as the interim CEO of Coupang following the resignation of Park Dae-jun. His appointment reflects the company's efforts to restore public confidence and manage the crisis stemming from the data breach.

• Park Dae-jun: Park Dae-jun was the CEO of Coupang who resigned in December 2025 due to the fallout from a major data breach. His resignation symbolizes the accountability in corporate governance amidst a significant cybersecurity incident.

Source Documents

• South Korea’s Ruling Party Seeks Joint Parliamentary Hearing Over Coupang Data Breachhttp://koreabizwire.com/south-koreas-ruling-party-seeks-joint-parliamentary-hearing-over-coupang-data-breach/340497
• North Korea–Linked Hacks Decline in Number, but Losses Reach a Record Highhttps://www.koreaittimes.com/news/articleView.html?idxno=149118
• Coupang CEO Quits After Breach Hits 33.7M South Koreanshttps://www.techrepublic.com/article/news-coupang-ceo-quits/
• Coupang data breach traced to ex-employee with system accesshttps://beinsure.com/news/coupang-data-breach-traced-to-ex-employee/
• Coupang CEO resigns after data breach furore - Internet Retailinghttps://internetretailing.com.au/coupang-ceo-resigns-after-data-breach-furore/
• Coupang (CPNG) Stock Price & Overviewhttps://stockanalysis.com/stocks/cpng/
• [Exclusive] Coupang discloses 33m-user data breach to US regulators - The Korea Heraldhttps://www.koreaherald.com/article/10638028
• Coupang executives face Korean lawmakers over data breachhttps://theedgemalaysia.com/node/786250
• Half the Nation, Fully Exposed: Coupang Faces Fallout Over Security Failure - The National CIO Reviewhttps://nationalcioreview.com/articles-insights/extra-bytes/half-the-nation-fully-exposed-coupang-faces-fallout-over-security-failure/
• Korea’s Coupang Hit By Major Data Breach Affecting Nearly 34M Customershttps://elephantsands.com/koreas-coupang-hit-by-major-data-breach-affecting-nearly-34m-customers/
• Coupang breach of 33.7 million accounts allegedly involved engineer insider | CSO Onlinehttps://www.csoonline.com/article/4101486/coupang-leaks-personal-information-of-33-7-million-accounts-suspected-of-poor-authentication-key-management.html
• Survey Finds Surge in Phishing Fears After Coupang Data Breachhttp://koreabizwire.com/survey-finds-surge-in-phishing-fears-after-coupang-data-breach/340334
• Coupang Breach Triggers Sharp Spike in Dark-Web Leak Inquirieshttp://koreabizwire.com/coupang-breach-triggers-sharp-spike-in-dark-web-leak-inquiries/340213
• Government Forms Task Force to Address Massive Coupang Data Breachhttp://koreabizwire.com/government-forms-task-force-to-address-massive-coupang-data-breach/340405
• Coupang Data Breach Ripples Through Small Businesses as Sales Drop and Uncertainty Growshttp://koreabizwire.com/coupang-data-breach-ripples-through-small-businesses-as-sales-drop-and-uncertainty-grows/339322
• Coupang CEO Resigns After Massive Data Breach | Updatedhttps://theciotimes.com/coupang-ceo-resigns-after-massive-data-breach-what-it-means-for-users-and-company-security/
• Coupang Data Breach Exposes 33.7 Million Users' Personal Information » CyberSecurityCue 2025https://cybersecuritycue.com/coupang-data-breach-exposes-personal-info/
• Policymakers grapple with fallout from Chinese AI-enabled hackhttps://cyberscoop.com/ai-powered-cyber-attacks-claude-jailbreak-chinese-hackers/