The Scale of the Breach
The Ministry of Science and ICT of South Korea confirmed on Tuesday that 33.67 million user records were compromised in a massive data breach at Coupang, the dominant e-commerce platform in the country and a company listed on Nasdaq. The figure represents roughly two-thirds of the South Korean population of 51 million, making this one of the largest consumer data breaches in national history and affecting a significant portion of the digitally active population.
The investigation revealed that a former employee exploited authentication vulnerabilities to access names and email addresses of millions of users. Beyond the initial account information, the attacker accessed delivery list pages 148 million times, potentially exposing names, phone numbers, physical addresses, and even anonymized apartment entrance passwords. Since Coupang allows users to save up to 20 delivery addresses per account, the actual volume of compromised location data could far exceed the base account count, potentially affecting family members and associates of primary account holders.
Choi Woo-hyuk, who heads the cybersecurity and network policy office at the ministry, presented these findings at a government briefing in Seoul. The confirmation came nearly three months after Coupang first detected the intrusion on November 17, 2025, and marks a significant escalation from initial public statements by the company. The delay in public confirmation had sparked speculation that the announcement faced postponement due to concerns over trade pressure from the United States and claims by American politicians that the South Korean government discriminates against United States companies, allegations which the investigation team flatly denied.
The investigative team emphasized that they have never deviated from legal principles and have not treated any company differently, adhering to standards of prompt and transparent disclosure as results became available. This statement addressed growing concerns that the case might be influenced by diplomatic considerations rather than regulatory requirements.
How the Attack Unfolded
The breach originated from inside the organization. Investigators identified the attacker as a former Coupang employee who had developed user authentication software during his tenure. According to government analysis, this individual stole a signing key from an authentication system, conducted preliminary attack tests between January 5 and January 20, 2025, and subsequently deployed web crawling tools to extract data systematically.
The attack window stretched from April 14 to November 8, 2025, allowing the perpetrator to operate undetected for nearly seven months. Using the stolen signing key, the former employee forged what officials described as an electronic access pass, bypassing standard login procedures entirely. This method allowed continued access to Coupang services even after the individual left the company.
Lee Dong-geun, head of the Digital Threat Response Division at the Korea Internet & Security Agency, revealed that investigators found current Coupang developers had stored signing keys on personal laptops, contrary to internal rules requiring such credentials to remain within management systems. This practice created the vulnerability that enabled the breach.
The attacker accessed the Edit My Information page to harvest 33,673,817 records containing names and email addresses. Additionally, the delivery address list page was accessed 148.05 million times, while the order list page saw approximately 100,000 unauthorized views. Investigators confirmed the attacker possessed systems capable of transmitting data to overseas cloud servers, though they could not verify whether such transfers actually occurred.
The Government Verdict
South Korean authorities delivered a scathing assessment of Coupang security posture. Choi Woo-hyuk characterized the incident as a clear management failure rather than a sophisticated external attack. The investigation team identified critical shortcomings in authentication system management and signing key controls.
This is a clear management failure by Coupang, not a sophisticated attack. The team identified shortcomings in the management of authentication systems and signing keys.
The investigation uncovered multiple compliance violations. Coupang failed to report the breach within the mandatory 24-hour window, notifying authorities on November 19 instead of the required November 18. More seriously, the company allegedly violated a data preservation order issued on November 19. Despite instructions to maintain evidence, Coupang did not adjust automatic log-saving policies, resulting in deletion of web access logs from July to November 2024 and app access logs from May 23 to June 2, 2025.
The ministry announced plans to impose administrative fines for the delayed reporting violation, which could reach 30 million won. Additionally, officials requested law enforcement to investigate potential obstruction related to the evidence destruction. Coupang must now submit preventive measures to the ministry by the end of the current month, with implementation scheduled for March through May, followed by government inspection in June and July.
Coupang Defense Versus Reality
Throughout the investigation, Coupang maintained that while 33.7 million accounts were technically affected, the actual damage was limited. The company claimed that based on attacker testimony, only approximately 3,000 records were stored on the perpetrator hard drive and subsequently deleted. This position has drawn sharp criticism from regulators and privacy advocates who view it as an attempt to minimize regulatory and reputational damage.
Choi Woo-hyuk directly challenged this interpretation during his briefing. He emphasized that under South Korean data protection standards, unauthorized access to personal information pages constitutes a data breach regardless of whether the data was stored locally or transmitted elsewhere.
Calling it an access does not mean less liability. The figure of 3,000 records is merely a company claim and serves only as a reference. We verified all materials independently. We examined Coupang servers to determine how much data was accessed by external attackers and how much was leaked.
A Coupang representative responded to the government findings by maintaining that the 148 million accesses to the delivery list page did not indicate the scale of information breach. The spokesperson characterized these as attempts to collect individual personal data linked to the 33.7 million accounts, rather than evidence of 148 million separate data compromises. However, government officials countered that the sheer volume of access requests demonstrates the capability of the attacker to harvest comprehensive user profiles.
The discrepancy highlights fundamental differences in how corporations and regulators define data breaches. While Coupang focuses on confirmed data storage by the attacker, authorities treat any unauthorized viewing of personal information as a leak event, particularly when combined with evidence of systems designed for overseas data transmission.
Geopolitical Fallout and U.S. Legal Pressure
The breach has evolved from a domestic cybersecurity incident into a significant bilateral issue between South Korea and the United States. As a company listed in the United States with substantial American investor backing, Coupang has attracted attention from U.S. lawmakers who view the aggressive South Korean regulatory response as potentially discriminatory targeting of an American firm.
Interim CEO Harold Rogers faces mounting legal pressure on multiple fronts. South Korean police questioned Rogers for approximately 12 hours regarding allegations of perjury related to breach testimony. Simultaneously, the U.S. House Judiciary Committee has subpoenaed Rogers to testify on February 23, 2026, regarding the incident. The congressional inquiry examines whether Korean regulators are imposing unfair burdens on companies listed in the United States.
In New York federal court, a class action lawsuit seeks punitive damages against Coupang, alleging inadequate data protection and misleading disclosures about the breach scope. The legal action represents investors and users who claim they suffered losses due to security failures and subsequent downplaying of the incident by the company.
Some multinational companies operating in Seoul have privately warned that the response spanning multiple government agencies, involving nine agencies and hundreds of officials, is unprecedented compared to treatment of domestic firms. They cite a 2025 breach at SK Telecom affecting 27 million records, which did not trigger comparable investigations, as evidence of differential treatment. However, the Ministry of Science and ICT has firmly denied any deviation from legal principles, insisting that Coupang received identical treatment to any company facing similar violations.
President Lee Jae-myung has publicly pledged to make South Korea the best investment destination in the world, creating tension between demonstrating strong data protection enforcement and maintaining favorable conditions for foreign capital. The Coupang case now serves as a test case for how Seoul balances consumer privacy protection with international trade relationships.
Regulatory Consequences and Business Risks
Beyond the immediate fines for delayed reporting, Coupang faces severe regulatory jeopardy. The Federal Trade Commission has warned of possible business suspension, a drastic measure that would halt company operations entirely. The commission is also conducting a tax audit and has received a parliamentary complaint against founder Bom Kim and former executives.
The breach has also triggered a separate disclosure on February 5, 2026, revealing an additional 165,000 compromised user records. This secondary announcement intensified public outrage and reinforced perceptions that initial assessments by the company understated the damage.
Industry analysts note that the case establishes new compliance benchmarks for South Korean consumer platforms. The government detailed reconstruction of the attack, including specific access counts and timeline analysis, signals an intent to create prescriptive control requirements applicable to other companies processing large volumes of personal data.
For Coupang users, the compromised data creates tangible safety risks. Delivery addresses, phone numbers, and building entrance passwords expose customers to potential stalking, targeted fraud, and physical security threats. Unlike payment card breaches, which financial institutions can mitigate through cancellation and monitoring, address and contact information remains permanently sensitive. The inclusion of third-party addresses, such as those of family members or friends saved in user accounts, expands the affected population beyond direct Coupang customers.
The Essentials
- 33.67 million Coupang user accounts were confirmed leaked, affecting approximately two-thirds of the South Korean population
- A former employee stole authentication signing keys and conducted unauthorized access between April and November 2025
- The attacker accessed delivery list pages 148 million times, potentially exposing addresses, phone numbers, and building entrance codes
- The Ministry of Science and ICT characterized the incident as a clear management failure and cited Coupang for delayed reporting and evidence destruction
- Interim CEO Harold Rogers faces police questioning in Korea and a U.S. congressional subpoena for February 23, 2026
- A U.S. class action lawsuit seeks punitive damages in New York federal court
- The Federal Trade Commission has warned of possible business suspension and is conducting a tax audit
- An additional 165,000 records were disclosed on February 5, 2026, separate from the main breach
- Coupang must submit preventive measures by the end of the month with government inspection scheduled for June and July
