Coupang Faces Probe and Potential Trillion Won Fine After Data Breach Hits 33.7 Million

What happened and why it matters

South Korea has been shaken by a major breach at Coupang, the country’s largest online retailer, that exposed personal information tied to about 33.7 million customer accounts. The scale is extraordinary, affecting roughly two thirds of the nation’s population. The incident has triggered a sweeping response from the presidency, regulators, and law enforcement, and it is already shaping a new debate over how companies protect personal data in a fast digitizing economy.

Coupang says it detected unauthorized access on November 18 and reported it to authorities. Later checks revealed the breach likely began on June 24 through servers located overseas and continued for months without being noticed. The company has apologized and is cooperating with investigators. Coupang says payment details and passwords were not accessed, but names, email addresses, phone numbers, shipping addresses, and some order histories were exposed.

President Lee Jae Myung has called the breach a wake up call for privacy protection and directed officials to prepare stricter penalties. Under the Personal Information Protection Act, companies that fail to implement adequate safety measures can face fines of up to 3 percent of annual revenue. For a company of Coupang’s size, that ceiling could approach or exceed one trillion won depending on the revenue base used for calculation. Police, the Korea Internet and Security Agency (KISA), and the Personal Information Protection Commission (PIPC) have all launched investigations, and authorities have warned the public to watch for phishing and scams that misuse leaked contact details.

How the breach unfolded

Authorities say the intrusion began via overseas infrastructure in late June and persisted until it was uncovered in November. Investigators are tracing network activity and reviewing how Coupang’s systems authenticated internal access. Early findings point to weaknesses in authentication controls. According to officials briefed on the case, an authentication key tied to a former employee remained active after the worker left, creating an opening for access to customer information. Police are examining whether a former developer, reported to be a Chinese national now abroad, abused lingering credentials or signature keys that should have been revoked.

Coupang says it has since blocked the access route, increased monitoring, and brought in independent security experts. The firm also notified KISA, PIPC, and the National Police Agency, and it is sending alerts to affected users. In parallel, government ministries formed a joint team to establish the chain of events and determine whether required safeguards were in place. The inquiry includes a review of possible violations of personal information protection rules.

Why inactive keys are dangerous

Modern platforms rely on keys and tokens that grant machines and staff limited permissions to perform specific tasks. If a key remains valid after a worker changes roles or leaves, it can become a ready made pass for unauthorized access. Security practice calls for least privilege access, prompt revocation when roles change, and frequent rotation of keys so they do not remain usable for long periods. Long lived keys are risky because a single lapse in revocation or monitoring can expose large volumes of data. In this case, investigators are looking at whether lingering credentials were used to move quietly through systems over several months.

Government reaction and the legal stakes

The breach has moved quickly from a corporate incident to a national concern. The presidency convened senior officials and ordered proposals to raise penalties and strengthen consumer protection. The Ministry of Science and ICT, PIPC, and the police are conducting a joint probe that spans technical forensics and compliance with data safety laws. KISA posted public advisories warning citizens to be vigilant about scams that might exploit leaked contact details and delivery information.

At a cabinet meeting, President Lee criticized the long gap between the start of the intrusion and its discovery. He urged rapid accountability and a reset in how large companies prioritize user data safety.

President Lee said the unnoticed months long breach was unacceptable and that data protection norms must change. He called for tougher sanctions and faster accountability. Then he added a broader warning about corporate culture around privacy.

“It is astonishing that Coupang did not even detect the breach itself for five months from when the incident first started. The wrong practice and the idea of not giving necessary care for personal data protection, which is a key asset in the age of artificial intelligence and digitalisation, must be completely changed.”

Legal exposure could be significant. Under current law, the maximum administrative fine is 3 percent of revenue if regulators find a failure to implement adequate safety measures. Coupang reports tens of billions of dollars in annual sales. A 3 percent penalty on such a base could reach hundreds of billions of won, and potentially over one trillion won when converted at recent exchange rates. Regulators are also reviewing punitive damage rules and whether to further increase penalties for repeated or large scale failures.

Financial markets reacted as the scope became clear. Coupang’s shares fell after police confirmed the size of the breach and said they were tracing IP addresses and reviewing tech vulnerabilities. Analysts expect customer churn to be limited because of Coupang’s market strength, but they caution that compensation for victims and potential penalties could lead to large one time costs.

What information was exposed and how to protect yourself

Coupang says the exposed data includes basic contact and delivery details and some order histories. The company says it has no evidence that credit card numbers, bank details, or passwords were compromised. That reduces immediate risk of direct financial theft, but the leaked contact and address details are valuable to scammers who excel at impersonation.

What information was taken

According to company notices and official briefings, the exposed fields include:

• Full name
• Email address
• Mobile and other phone numbers
• Shipping address
• Portions of order history

Criminals can use that combination to make phishing messages and calls sound convincing. A fake delivery notice that includes your name and the right address is more likely to trick people into clicking a malicious link or sharing payment details. KISA has told consumers to remain alert to voice calls, texts, and emails that appear to come from Coupang or courier services and to avoid clicking links in unsolicited messages.

Practical steps for customers

• Treat unexpected emails, texts, or calls that reference your orders or delivery issues with caution. Do not click links. Go directly to the official app or website and check notifications there.
• Enable two step verification on your accounts where available. Stronger login checks limit damage if other information is misused.
• Review recent orders and account activity for anything you do not recognize. Report anything suspicious to customer support.
• Be wary of requests for payment to resolve delivery problems. Reputable platforms do not ask for card details by text or phone.
• Consider using a password manager and unique passwords for every service. That reduces the risk of reuse across sites.
• If you believe your identity is being misused, file a complaint with authorities and request documentation from the company for any needed reports.

Coupang has said it is notifying affected users and has blocked the access route that enabled the intrusion. The company has also strengthened internal monitoring and engaged independent experts to assist with response and remediation.

Business impact on Coupang and the online shopping market

Coupang is a giant in Korean retail with nearly 25 million active users in recent quarters. It has expanded into quick delivery of groceries, logistics, and streaming, and it operates services in Japan and Taiwan. The company says there is no evidence that data from its Taiwan unit or other affiliated services outside South Korea were affected. Still, the domestic fallout is serious because the breach reached so many households.

Investors initially marked the stock lower as the scale of the breach became public and as police opened a formal probe. The immediate revenue impact may be limited if most customers stay, but the cost of addressing the incident, potential compensation, and any penalty could be large. If regulators apply the maximum percentage, the fine alone could approach the order of a trillion won depending on the revenue base used.

The episode also lands during a year of high profile cyber incidents in South Korea. In a separate case, SK Telecom faced a large penalty after a leak affecting tens of millions of subscribers. Another case at Lotte Card highlighted how criminals target companies that hold rich data about identity and purchases. Those cases preceded the Coupang breach and set a tougher backdrop for regulatory action.

Why major breaches keep recurring in South Korea

There is a pattern that combines vast data stores, complex internal systems, and pressure to move fast in competitive online markets. When a company relies on many internal and external developers and uses numerous services that talk to each other, oversight can fray. Keys and tokens may accumulate and fail to expire on schedule. Access may not always be limited to the minimum needed. In that environment, a single unrevoked key or a misconfigured server can give an attacker a clear path.

Officials have said repeated large leaks since 2021 point to structural weaknesses in personal information protection. The PIPC recently imposed a record fine on a telecom operator after a breach that went unnoticed for years. In the Coupang case, investigators are assessing whether internal governance and access control fell short despite significant spending on security and IT. Industry voices argue that spending alone does not guarantee strong protection if key rotation, audit discipline, and credential lifecycle management are not enforced day to day.

The government has ordered a review of punitive damages and penalties, signaling pressure for change that goes beyond a single company. Other platforms have begun internal security checks and audits. The conversation now extends to cross border engineering teams, data localization, and whether companies with overseas development hubs need tighter controls when handling domestic user data.

What rules apply to companies and what could change next

Under the Personal Information Protection Act, companies must safeguard personal data with appropriate technical and administrative measures. Failures that lead to leaks can trigger corrective orders, administrative fines, and claims for damages. The cap for fines sits at 3 percent of revenue, and new proposals could increase liability where there is serious harm or repeated negligence. Authorities are also evaluating whether to tighten reporting timelines, increase mandatory testing of access controls, and require stronger proof of key management and deprovisioning of access when staff leave or change roles.

For large platforms, the lessons are straightforward even if the execution is hard. Keys and tokens should have short lifespans. Access should be limited to the least privilege necessary. Deprovisioning should be automatic and immediate when roles change. Alerting and detection systems should flag unusual queries against user databases. Periodic internal red team tests and independent reviews can help find blind spots. Regulators are likely to expect visible progress on these basics as part of any remediation plan.

For users, the immediate risk centers on targeted scams, not direct theft of payment data, based on current findings. That can still cause real harm, especially for people who rely on delivery messages and mobile notifications in daily life. The combination of a correct name, address, and recent order detail makes a convincing lure. Consumer education and simple in app verification steps can blunt those attacks if users know what to look for.

At a Glance

• About 33.7 million Coupang customer accounts were exposed, the largest breach in South Korea in more than a decade.
• Leaked data includes names, email addresses, phone numbers, shipping addresses, and some order histories. Payment details and passwords were not included, according to the company.
• Unauthorized access is believed to have started on June 24 and was detected on November 18.
• Authorities are investigating authentication weaknesses and whether a former employee used lingering access keys.
• President Lee Jae Myung ordered tougher penalties and faster accountability, calling the months long detection gap astonishing.
• Regulators can fine up to 3 percent of revenue under current law, a level that could reach hundreds of billions of won or more.
• KISA issued public advisories warning of phishing and scam attempts that may exploit the leaked contact data.
• Police, KISA, and PIPC launched a joint investigation, and Coupang says it has blocked the access route and engaged outside experts.
• Law firms are preparing class action suits, and analysts expect sizable one time costs from compensation and any penalties.
• The case adds to a year of large breaches in South Korea and is likely to accelerate regulatory changes on data protection and internal access control.