On the morning of November 30, 2025, South Koreans awoke to an unexpected text from Coupang, the country’s largest e-commerce platform, often called the “Amazon of South Korea.” Most recipients ignored the message, accustomed to daily spam. Even for those who read it, the wording seemed mundane, almost routine. The alert explained that “some” customer information had been exposed due to unauthorized access and that Coupang was coordinating with government agencies to investigate. The breach reportedly involved names, email addresses, and physical mailing addresses.
What seemed minor at the time would soon reveal itself as one of the largest e-commerce data breaches in South Korean history—a scandal that threatened Coupang’s dominance in the national market. The term “some” actually referred to 33.7 million customers—nearly two-thirds of South Korea’s population of 52 million. That is more than the entire population of Canada. The breach had begun on June 24, 2025, meaning that for almost five months, someone had unrestricted access to personal data: addresses, purchase history, and even security codes for apartment buildings. Coupang, a company generating $30 billion in annual revenue, had no knowledge this was happening.
The root cause was disturbingly simple. In November 2022, Coupang hired a Chinese developer to manage its authentication system. Despite being a recent hire, he was given access to master cryptographic keys—essentially the “master password” for all user accounts. In July 2024, he left South Korea for China, but his credentials were never revoked. A year later, starting June 24, 2025, he used these keys to impersonate users and harvest data undetected. For 147 days, 33.7 million accounts were exposed. The breach was only discovered after the former employee sent threatening emails to customers.
Coupang’s initial public response attempted to minimize the situation, claiming only a few thousand records were affected and that the suspect’s damaged laptop had been recovered from China. Security experts quickly dismissed this, pointing out that the laptop’s recovery did not account for the massive data already exported to external servers. Eleven days later, Coupang’s own forensic analysis confirmed the full scale: 33.7 million users compromised.
The company’s security infrastructure in South Korea lagged behind its operations in Taiwan, where Coupang PassKey, a password-free biometric system, had been implemented. Critics argued that Coupang had prioritized growth in Taiwan over security in its home market. The media amplified the scandal, connecting it to past labor disputes, overwork deaths, and corporate negligence. The result: a public boycott, 2 million lost customers, and the resignation of the CEO of Coupang Korea.
Bom Kim, Coupang’s founder, remained in the U.S. as CEO of the American holding company. Legally, South Korea could not compel his appearance, despite generating over 90% of revenue from Korean operations. He later issued a written apology and promised $1.2 billion in compensation to victims—distributed as discount vouchers for Coupang services, widely criticized as insufficient. Coupang’s market capitalization dropped by $8 billion, and multiple U.S. class-action lawsuits followed, claiming failures in cybersecurity and risk management.
For consumers, the breach intensified ongoing threats. South Korea has long been targeted by voice phishing scams, bank impersonations, and fraudulent delivery messages, often using personal information to pressure victims into transferring funds. Before the Coupang breach, citizens were losing roughly $615 million annually to voice phishing; in 2025, losses surpassed $718 million in just ten months. The combination of detailed personal data and psychological pressure made these scams far more effective.
The Coupang breach was not an isolated incident. Previous large-scale leaks had affected Korea Credit Bureau, SK Telecom, and other major companies, exposing tens of millions of records. Most Koreans now ignore unknown numbers or messages, particularly the elderly, who remain highly vulnerable to scams exploiting personal data.
What makes the Coupang case unique is its scale, visibility, and geopolitical implications. With Bom Kim as a U.S. citizen and Coupang incorporated in Delaware, the South Korean government faced limits in enforcing accountability. The situation even drew U.S. attention, as lawmakers raised concerns over the treatment of American companies in Korea, turning a corporate data breach into an international issue.
Today, Coupang remains operational but bears the consequences of compromised trust. Consumers face heightened exposure to phishing and fraud, while the company grapples with reputational, legal, and financial fallout. The case underscores a stark reality: as technology accelerates convenience and reshapes daily life, vulnerabilities in digital systems carry far-reaching consequences. The cost is often borne by the very users who depend on these platforms most.
Follow Storyantra for more in-depth stories, breaking news, technology updates, investigative reports, and exclusive insights from South Korea and around the world.
.webp)
0 Comments