South Korean retail behemoth Coupang has admitted to a data breach that exposed the personal details of 33.7 million customers, turning the company’s famed “Rocket Delivery” logistics empire into an express shipment for personal information.
The e-commerce titan, often dubbed the “Amazon of Korea,” is South Korea’s largest retail platform, logistics operator, and warehousing network – a vertically integrated retail giant whose next-day delivery service, Rocket Delivery, has become shorthand domestically for cardboard boxes arriving before customers have fully remembered ordering anything at all.
Coupang confirmed the data breach to The Register on Monday. It first detected unauthorized access on November 18, initially tied to just 4,500 customer accounts, before a subsequent investigation revealed that roughly 33.7 million domestic accounts were caught up in a far broader exposure.
The breach spans more than half of South Korea’s population and includes customer names, email addresses, phone numbers, shipping addresses, partial order histories, and certain delivery metadata. Coupang insists the attackers failed to reach login credentials or payment card details, which it says remain “securely protected.”
In a statement provided to The Register, Marisa Lee, a Coupang spokesperson, outlined the company’s response. “Coupang immediately reported the incident to relevant authorities (Police, KISA, PIPC),” Lee said, referring to the National Police Agency, the Korea Internet & Security Agency (KISA), and the Personal Information Protection Commission (PIPC).
The retailer believes the intrusion technically began on June 24, originating from “overseas servers” and routed via infrastructure outside of Korean jurisdiction. Lee told us Coupang has since “blocked the unauthorized access route, strengthened internal monitoring, and retained experts from a leading independent security firm,” though the retailer declined to name the company involved in the ongoing probe.
Coupang also declined to say who was behind the mammoth breach, but local media reports suggest that a Chinese national – allegedly a Coupang employee – leaked the data from within the company. The reports claim the individual resigned from the company, used an authentication key that was still active after the discontinuation of their contract, and left Korea shortly after the breach came to light.
Coupang explicitly warned customers to remain alert for “phone calls, text messages, or other communications impersonating Coupang” and issued public apologies for the “concern this may have caused,” a phrase that has become the boilerplate equivalent of watching a container ship tip sideways.
The incident comes just months after South Korea’s largest mobile operator, SK Telecom, revealed that hackers had stolen USIM identity data for nearly 27 million subscribers. The firm has since been slapped with a record ₩134.5 billion ($97 million) fine after South Korea’s privacy watchdog found that the mobile giant “did not even implement basic access controls.”
If an insider really did exit Coupang with retail data touching more than half the country, the business is likely bracing for a similar penalty.
Both incidents point to roughly the same uncomfortable truth. South Korea’s core commerce and communications providers remain high-value identity targets, with centralized systems that attackers see less as infrastructure and more as bulk personal data APIs awaiting redemption. ®