Brinztech Alert: Retail Giant Coupang Confirms Massive Data Breach Impacting 33.7 Million Customers

Public Breach Analysis

Coupang, South Korea’s largest e-commerce retailer, has confirmed a massive data breach exposing the personal information of 33.7 million customers—accounting for roughly two-thirds of the country’s population. The company initially reported a much smaller incident affecting 4,500 accounts on November 18, 2025, but subsequent investigations revealed the true, staggering scale of the compromise.

Incident Timeline:

• Infiltration: Unauthorized access began as early as June 24, 2025, routed through overseas servers.
• Detection: Coupang only discovered the breach on November 18, 2025, nearly five months later.
• Disclosure: The company publicly confirmed the expanded scope in late November/early December 2025.

The Cause: Reports indicate the breach was likely an insider threat. A former employee, allegedly a Chinese national developer, retained access to the internal network after resigning. This individual reportedly used unrevoked authentication tokens to exfiltrate data over a five-month period. This highlights a critical failure in Identity and Access Management (IAM) and offboarding procedures.

Data Exposed: The compromised data includes Full Names, Phone Numbers, Email Addresses, Physical/Shipping Addresses, and Order Information. Coupang has stated that sensitive financial data (credit card numbers, passwords) was not accessed.

Key Cybersecurity Insights

This incident, following the massive SK Telecom breach earlier in 2025 (27 million users), underscores systemic vulnerabilities in South Korea’s digital infrastructure:

• Insider Threat & IAM Failure: The breach wasn’t a sophisticated external hack but a failure to revoke access. The “former employee” vector is a textbook example of why automated de-provisioning and strict access controls are critical.
• Delayed Detection: The five-month “dwell time” allowed the attacker to siphon data on nearly the entire customer base. This points to a lack of effective User and Entity Behavior Analytics (UEBA) or anomaly detection for internal network traffic.
• Regulatory Pressure: The breach has triggered intense scrutiny from South Korean authorities (PIPC, KISA), with calls for stricter penalties. This incident, combined with the SK Telecom case, is pushing the government to demand higher cybersecurity standards and executive accountability.
• Secondary Attack Surface: With names, addresses, and phone numbers exposed for most of the population, the risk of targeted phishing (smishing/vishing) and social engineering is extreme. Criminals can use order history to craft convincing scams.

Mitigation Strategies

In response to this massive breach, Coupang customers and organizations operating in South Korea must take action:

• Heightened Vigilance (Phishing): Customers should be extremely skeptical of unsolicited calls or texts claiming to be from Coupang, especially those referencing delivery issues or account problems. Verify directly through the official app.
• Review Access Controls (Enterprises): Organizations must immediately audit their offboarding processes. Ensure that access revocation is automated and comprehensive, covering all internal tools, VPNs, and cloud environments.
• Implement UEBA: Deploy behavioral analytics to detect anomalous activity by legitimate credentials (e.g., a developer accessing millions of customer records or logging in from unusual locations).
• Monitor Regulatory Changes: Expect stricter data protection enforcement in South Korea. Companies should proactively review their compliance with PIPA (Personal Information Protection Act) and ensure robust incident response plans are in place.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com