Coupang Data Breach Exposes 33.7 Million Customer Records

South Korea’s largest e-commerce platform grapples with a massive security lapse that jeopardizes personal details of over one-third of its user base. Hackers exploited an electronic signature key to siphon names, emails, phone numbers, and addresses from Coupang’s systems. The intrusion, undetected for months, underscores vulnerabilities in third-party authentication mechanisms relied upon by global retailers.

The breach originated in June 2025 when attackers compromised a key used for digital signatures in Coupang’s backend infrastructure. This allowed unauthorized access to a centralized customer database containing 33.7 million active accounts, representing 66% of South Korea’s 51 million population. Payment card details and financial records remained untouched, as those segments operate under separate encryption protocols compliant with PCI DSS standards.

Coupang detected anomalous activity in November 2025 through automated monitoring tools that flagged irregular API calls exceeding baseline thresholds by 300%. The company immediately revoked the compromised key and initiated a full forensic audit with assistance from Seoul’s National Police Agency cyber division. Preliminary findings indicate the attackers used the access to export data in structured CSV formats, potentially for sale on dark web marketplaces.

South Korean authorities classify the incident as a state-level concern, given Coupang’s role in national logistics and its handling of sensitive government procurement data. President Lee Jae-myung directed the Ministry of Science and ICT to draft amendments to the Personal Information Protection Act, proposing fines up to 4% of annual global revenue for delayed breach notifications. Current penalties cap at 3% of domestic sales, which for Coupang equates to roughly 150 billion won based on 2024 figures.

The retailer’s shares plunged 5.4% in New York trading, wiping out $2.1 billion in market capitalization from its $39 billion valuation. U.S.-based investors, holding 45% of Coupang’s NYSE-listed stock, face indirect exposure through supply chain disruptions if consumer trust erodes. The company operates warehouses in Washington state and employs 1,200 American workers, tying the fallout to U.S. economic interests.

Coupang’s response includes mandatory two-factor authentication rollouts for all enterprise logins and segmentation of customer data across isolated AWS regions. The platform, which processes 14 million daily orders via its Rocket Delivery service, suspended non-essential API integrations to contain risks. Independent security firm Mandiant, contracted for the probe, estimates the data’s black market value at $15 million, factoring in regional demand for verified South Korean identities.

Global parallels emerge in recent breaches at competitors like Lazada and Shopee, where similar key-based exploits led to 20% upticks in phishing campaigns targeting affected users. Cybersecurity analysts at CrowdStrike note that electronic signature systems, often implemented via HSM hardware, fail when firmware updates lag, a gap Coupang addressed post-incident with quarterly patching cycles.

For American consumers, the event highlights risks in cross-border data flows; Coupang’s U.S. arm handles 500,000 cross-shipments annually, routing through Seattle hubs. The FTC monitors such incidents for patterns under its cross-border privacy framework, potentially triggering investigations if U.S. residents’ data surfaces in leaks. Enterprises sourcing from Asia now prioritize vendor audits, with Gartner forecasting a 25% rise in supply chain security spending for 2026.

Regulatory pressure intensifies as the EU’s NIS2 Directive influences Asian markets, mandating 72-hour breach disclosures. Coupang’s CEO Bom Kim stated in a shareholder letter that the company invested 120 billion won in 2025 on endpoint detection enhancements, yet the breach reveals gaps in zero-trust architectures. Affected users receive 24-month credit monitoring and password resets, though recovery from identity theft averages 180 days per victim.

This scandal accelerates South Korea’s digital sovereignty push, with lawmakers eyeing data localization mandates for platforms exceeding 10 million users. Coupang, founded by SoftBank-backed entrepreneur Bom Kim, reported $30.8 billion in 2024 revenue, 95% from Korean operations. The breach’s long-term cost, including litigation and remediation, could exceed 500 billion won, per analyst estimates from KB Securities.

U.S. tech firms like Amazon, a Coupang rival, reinforce their own defenses; AWS, Coupang’s cloud provider, activated GuardDuty alerts that aided detection. The incident fuels debates on mandatory bug bounties for critical infrastructure, with hackers potentially earning up to $1 million for similar disclosures through platforms like HackerOne. As e-commerce penetration hits 85% in South Korea, such breaches threaten the sector’s projected 12% CAGR through 2030.