South Korea’s largest retailer, Coupang, has suffered a data breach that exposed the personal information of 33.7 million customers.
The firm has warned on its Korean-language site that the incident occurred on June 24, 2025, but it only discovered it and began the investigation on November 18, 2025.
“On November 18, 2025, Coupang became aware of unauthorized access to personal information related to the accounts of approximately 4,500 customers,” reads the public statement.
“As a result of follow-up research, we learned that the information of 33.7 million accounts was exposed.”
Although the investigation is still ongoing, customer information confirmed to be exposed includes full names, phone numbers, email addresses, physical addresses, and order information.
Coupang noted that payment information, including credit card data and account information such as passwords, was not exposed.
Coupang is a U.S.-based tech and online retail company that operates in the South Korean market. It employs 95,000 people and has an annual revenue of over $30 billion.
The company has already reported the incident to the applicable authorities in the country, including the National Police Agency, the Personal Information Protection Commission, and the Korea Internet & Security Agency. Impacted individuals will also be informed via email or SMS.
Coupang noted that customers whose information was exposed should remain vigilant for calls, texts, and other communications impersonating the retail giant.
The company did not share any information about the type of attack and who the perpetrators might be, and by publication time, no cybercriminals had assumed responsibility for the attack.
Korean Herald’s The Investor reports that the breach was carried out by a former employee, who used unrevoked access tokens to steal sensitive data from Coupang’s systems. However, BleepingComputer has not been able to corroborate these details independently.
The Coupang breach is the second massive-scale cybersecurity incident in South Korea this year.
In April, SK Telecom, the country’s largest mobile network operator, warned customers that sensitive USIM data had been exposed due to a malware infection impacting its networks.
The company later confirmed that the initial infection began three years ago, in June 2022, affecting a total of 27 million subscribers, which corresponded to its entire customer base.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.