Technology and online retail company Coupang has confirmed that a major data breach exposed personal information from 33.7 million customer accounts. The company stated that it discovered the incident on November 18, 2025, and notified the Personal Information Protection Commission, the police, and the national cyber agency. According to company statements, the exposed information included names, email addresses, phone numbers, shipping addresses, and some order histories. Coupang said payment data and login credentials were not accessed.
Regulators were informed that unauthorized access likely began on June 24, 2025, through servers located overseas. Investigators reported that the activity continued for several months before it was detected. Authorities said they are examining system logs, external access points, and potential weaknesses that may have allowed the breach to occur. They are also tracing IP addresses connected to the incident and reviewing whether data protection requirements were followed.
Police officials stated that a former employee is under investigation in connection with the breach. According to law enforcement, the individual is suspected of involvement in the unauthorised access and may have used foreign infrastructure to conceal activity. Investigators have not released additional details while the inquiry continues.
Coupang acknowledged that its initial review underestimated the scale of the breach. Early assessments suggested that only a few thousand users were affected. The confirmed estimate now covers nearly the entire Korean customer base. Public records show the company reported 24.7 million active customers in the third quarter of 2025, and the final number of exposed accounts significantly exceeds that figure because it includes inactive accounts as well.
The company blocked the access route after detecting the breach and introduced additional monitoring measures. Its chief executive issued a public apology and said the firm is working with authorities to support the investigation and strengthen controls where required. Coupang informed users that they should watch for unusual activity and report suspicious messages.
Government agencies released public guidance advising affected users to be alert to phishing attempts. Officials warned that exposed contact information may be used for fraudulent calls or messages. Cybersecurity specialists noted that data such as names, addresses, and phone numbers can increase the effectiveness of targeted scams even without financial information.
Regulatory bodies are reviewing whether the company complied with data management and notification rules. Officials said potential administrative penalties depend on the outcome of the investigation and the extent of any identified failures. Legal analysts noted that large-scale data breaches in the country have previously led to significant fines and mandatory corrective measures.
Public reaction has focused on the duration of the unauthorised access and the gap between the initial and final estimates. Commentators in national media questioned how long the breach went undetected and whether internal oversight measures were adequate. Consumer groups have called for clearer communication from companies handling large volumes of personal information and stronger enforcement of data protection standards.
Authorities said the investigation will continue until the full sequence of events is established. Coupang stated that it will apply further safeguards as required and will provide updates as the inquiry progresses.