South Korea's Personal Information Protection Commission (PIPC) has officially confirmed a massive data breach at Coupang, the nation's largest e-commerce platform, exposing the personal information of 33.67 million users. The incident, one of the largest cyber incidents in the country's history, came to light after dark web forums began circulating samples of stolen data last month, prompting urgent investigations by authorities.
The leaked records include sensitive details such as names, phone numbers, email addresses, home and delivery addresses, and partial payment information for users of Coupang's core services, including its popular Coupang Eats delivery app. While no full credit card numbers appear to have been compromised, experts warn that the breadth of the data could fuel targeted phishing attacks, identity theft, and spam campaigns. The PIPC stated that the breach occurred due to vulnerabilities in an internal database exploited by hackers sometime between late 2025 and early 2026.
Coupang, valued at over $50 billion and serving more than half of South Korea's online shoppers, issued a statement acknowledging the breach and apologizing to affected customers. The company revealed it has since patched the vulnerabilities, enhanced encryption protocols, and launched a full forensic audit with third-party cybersecurity firms. "Customer trust is our foundation, and we are deploying every resource to mitigate risks and notify impacted users," a Coupang spokesperson said, adding that free credit monitoring services would be offered to those affected.
Regulatory pressure is mounting as the PIPC prepares to impose fines potentially reaching billions of won under South Korea's stringent data protection laws, which were toughened following earlier breaches at firms like Interpark and Naver. The government has ordered Coupang to submit a detailed remediation plan within two weeks and is coordinating with police to track the perpetrators, believed to be a sophisticated hacking group operating from overseas.
This breach underscores escalating cybersecurity threats in South Korea's hyper-connected digital economy, where e-commerce penetration exceeds 80%. With Coupang's user base rivaling the national population, the fallout could erode consumer confidence and intensify calls for mandatory breach disclosure timelines and AI-driven threat detection. Privacy advocates are urging users to change passwords, enable two-factor authentication, and monitor accounts closely in the coming months.
As investigations deepen, the incident may catalyze broader reforms, including proposed legislation for real-time breach reporting and harsher penalties for non-compliance. For now, millions of Koreans grapple with the uncertainty of exposed data, highlighting the fragile balance between convenience and security in the age of instant delivery.
