Korean gov't confirms 33.67 mil. user records leaked in Coupang breach

South Korea's Ministry of Science and ICT confirmed Tuesday that a massive data breach at e-commerce giant Coupang exposed the personal records of 33.67 million users, marking one of the largest cybersecurity incidents in the nation's history. The breach, detected in late 2025, compromised sensitive information including names, phone numbers, addresses, and partial payment details for roughly two-thirds of South Korea's internet-savvy population. Officials described the scale as "unprecedented," prompting immediate regulatory scrutiny and calls for enhanced data protections.

The intrusion occurred through a vulnerability in Coupang's third-party logistics partner's server, according to preliminary investigations. Hackers accessed the system over several weeks in November, exfiltrating records before the flaw was patched. While Coupang swiftly notified affected users via email and app alerts last month, the government's verification came after an independent audit verified the breach's scope. No evidence of identity theft has surfaced yet, but experts warn of looming phishing and fraud risks as stolen data circulates on underground forums.

Coupang, often dubbed "Korea's Amazon" for its rapid delivery and market dominance with over 20 million monthly active users, issued a statement expressing regret and outlining bolstered security measures, including AI-driven threat detection and multi-factor authentication rollouts. CEO Bom Kim emphasized the company's commitment to user trust, pledging compensation for verified misuse of data. Shares in the Nasdaq-listed firm dipped 4% in after-hours trading following the announcement, reflecting investor concerns over potential lawsuits and fines.

Regulatory pressure is mounting, with the Personal Information Protection Commission launching a formal probe into Coupang's compliance with Korea's strict data laws. Penalties could reach billions of won, mirroring fines imposed in prior breaches like the 2023 Interpark incident. Lawmakers from both major parties vowed to introduce tougher cybersecurity mandates, targeting e-commerce platforms amid rising digital threats from state-sponsored actors and cybercriminals.

For everyday Koreans reliant on Coupang's Rocket Delivery for essentials, the breach underscores vulnerabilities in the country's hyper-connected economy. Cybersecurity firms report a 25% uptick in related scams since the leak, urging users to monitor accounts and enable fraud alerts. As Seoul pushes its "Digital New Deal," this incident highlights the tension between innovation and security, potentially reshaping how giants like Coupang handle the world's most valuable consumer data.