SEOUL, November 30 (AJP) - Coupang, the top e-commerce platform with some 33 million monthly active users in South Korea, is facing growing criticism after confirming that personal information belonging to more than 33 million customer accounts was exposed in a major data breach. The scale of the incident has stirred anxiety among consumers and intensified scrutiny of how large technology companies protect basic personal data.
The breach has drawn wide attention because Coupang has become deeply embedded in daily life across Korea. For many households, especially working families and parents with school-age children, the overnight delivery service and wide product range function almost like everyday infrastructure rather than a simple retail option.
Coupang announced on November 29 that approximately 33.7 million accounts had been improperly accessed. According to the company, the leaked information includes customer names, email addresses, phone numbers, delivery addresses and parts of order histories. Coupang said no credit card numbers, passwords or payment information were exposed. The company stated that unauthorized access is believed to have begun on June 24 through an overseas server, meaning that customer information may have been vulnerable for nearly five months before the breach was detected.
The seriousness of the incident was underscored by a text message Coupang sent to customers around 9:30 p.m. on Saturday. In the message, the company apologized and said it had “reported the incident to the relevant authorities immediately” after discovering it. Coupang described the breach as the result of “unauthorized access,” said it had blocked abnormal pathways, strengthened internal monitoring, and confirmed that “card information, payment data and login-related information such as passwords were not exposed.” The message also warned customers to be cautious of calls or messages impersonating Coupang and included a link to an FAQ page for further updates.
Coupang said it identified unusual activity on November 18 and filed reports with the Personal Information Protection Commission on November 20 and November 29. The commission, known as the PIPC, has launched an investigation and said it will take action if any violations of the Personal Information Protection Act are confirmed. The Ministry of Science and ICT has formed a joint public-private team to examine the cause of the breach and prepare preventive measures, while police began a separate investigation after receiving a complaint from Coupang on November 25.
Public concern has risen steadily. Many users expressed fears about phishing attempts, identity theft and other secondary risks that often follow major data leaks. Others questioned how such a large breach could remain undetected for months and whether additional information may have been exposed during that period.
Scrutiny intensified after Coupang revised its initial estimate. On November 20, the company announced that about 4,500 accounts had been affected. Nine days later, the estimate rose to 33.7 million, an increase of roughly 7,500 times. The updated figure exceeds the company’s own total of 24.7 million active customers reported in its third-quarter results, suggesting that nearly all registered users, including inactive accounts, were affected.
The size of the breach surpasses the data leak at SK Telecom, which was breached in April 2025, which affected 23.24 million people and resulted in a record fine of 134.8 billion won imposed by the Korea Personal Information Protection Commission (PIPC), the country's personal information watchdog.
Other recent incidents have contributed to a sense of distrust among consumers. In September, Lotte Card initially said no customer information had been compromised in a security breach, then later acknowledged that card numbers and CVC codes had been leaked. KT faced allegations that evidence was removed during its response to a hacking case, prompting forced investigations earlier this month. These comparisons were drawn from publicly reported domestic cases.
With names, phone numbers, home addresses and years of purchase records potentially exposed, concerns about targeted scams remain high. Some users worry that increasingly personalized fraud attempts may follow because the stolen data could be used to craft convincing messages.
Coupang is facing questions about why the breach went unnoticed for so long and what steps it will take to support affected customers. Although the company maintains that payment information was not involved, many consumers say that even basic personal data can create long-term problems once leaked. Investigations by the PIPC, the Ministry of Science and ICT and the police are continuing, and the findings are expected to provide a clearer picture of what happened.
reporter
Park Sae-jin
swatchsjp@ajunews.com
Copyright ⓒ Aju Press All rights reserved.
