South Korean e-commerce firm Coupang said an unauthorized access incident exposed personal information for about 33.7 million domestic customer accounts, a figure that represents more than half of the country’s population.
The company reported it first detected unauthorized access on Nov. 18 that initially appeared to affect roughly 4,500 accounts, and that a subsequent investigation revealed a far larger exposure. Coupang said the affected data include customer names, email addresses, phone numbers, shipping addresses, partial order histories and certain delivery metadata, and that login credentials and payment card details were not accessed and remain protected.
Coupang told reporters it has reported the incident to the National Police Agency, the Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission (PIPC). The company said it believes the intrusion began on June 24, originated from overseas servers routed via infrastructure outside Korean jurisdiction, and that it has blocked the access route, strengthened internal monitoring and retained experts from a leading independent security firm it declined to name.
The retailer declined to identify who was behind the breach. Local media reports have suggested a Chinese national who worked at Coupang leaked the data from inside the company, and said the individual resigned, used an authentication key that remained active after their contract ended, and left Korea.
Coupang warned customers to be alert for impersonation attempts by phone, text or other messages and issued a public apology. The incident follows an earlier breach at SK Telecom that exposed USIM identity data for nearly 27 million subscribers and resulted in a record ₩134.5 billion ($97 million) fine after regulators found basic access controls were not implemented.
Company officials did not provide public confirmation of an attacker or name the independent security firm handling the probe, and an investigation is ongoing. Officials and commentators say the breaches underscore that large, centralized commerce and communications systems remain high-value targets for identity theft and regulatory scrutiny.