Coupang — South Korea customer data exposure
South Korea's largest e-commerce platform reported 33.7 million customer accounts exposed; Korean police identified a former employee as the principal suspect.
- Target
- Coupang — South Korea customer data exposure
- Date public
- 4 December 2025
- Sector
- Retail
- Attack type
- Insider
- Threat actor
- Former employee (alleged)
- Severity
- High
- Region
- South Korea
In early December 2025 Coupang, the largest e-commerce platform in South Korea, disclosed a personal-data incident affecting approximately 33.7 million customer accounts — close to the entire adult population of the country. The exposed data included names, email addresses, phone numbers, shipping addresses, and order histories. Payment data was not in scope, according to Coupang’s notification to the Personal Information Protection Commission.
Korean police, working with Coupang’s own internal investigation, identified a former employee as the principal suspect, opening a formal investigation into insider misuse rather than external intrusion. The case is unusual in scale for an insider incident; the operational pattern — privileged access used to extract customer data after departure — is otherwise familiar.
The full breakdown will be added once the criminal proceedings have produced enough of a public record to establish the access path, the data-extraction mechanism, the controls that did or did not catch it, and the policy response from Korean regulators.