Coupang Revises Notice, Confirms No Secondary Damage After Massive Data Breach
Updated (7 articles)
Extended breach timeline and massive data exposure Unauthorized access began on June 24, 2025 through overseas servers and remained undetected for five months before Coupang discovered it on Nov 18 2025 [2][3][4]. The company later disclosed that personal details of 33.7 million customers—including names, phone numbers, email addresses and delivery addresses—were exposed, while payment information and login credentials were not compromised [1][2][5]. Initial reports mentioned only 4,500 affected accounts, but a subsequent investigation revealed the full scale affecting nearly the entire user base [2][3][4].
Government emergency meeting launches joint investigation On Nov 30 2025, Science Minister Bae Kyung‑hoon convened an inter‑agency emergency meeting, ordering a comprehensive probe into possible violations of data‑protection guidelines [3][4][5]. The investigation involves the Ministry of Science and ICT, the Korean National Police Agency, the Personal Information Protection Commission, the Korea Internet & Security Agency and the Financial Supervisory Service [1][3]. Authorities are assessing both the breach’s cause and any regulatory breaches by Coupang [2][5].
Police identify former Chinese employee as suspect Police reports indicate a former Chinese employee of Coupang, who has left the country, is the primary suspect after a complaint was filed on the Tuesday following the breach’s discovery [2][3][4]. The suspect is believed to have exploited insider knowledge to access the overseas servers [2][4]. Investigators are pursuing the individual for potential violations of security and data‑protection statutes [5].
Coupang’s evolving public communications and safeguards Coupang first notified authorities on Nov 20 and publicly reported only 4,500 records, later expanding the figure to 33.7 million [2][3][5]. CEO Park Dae‑jun issued a public apology on Nov 30, pledging stronger data‑protection measures and full cooperation with investigators [3][4][5]. Following a government request, the company revised its notice on Dec 6 to label the incident explicitly as a data breach and confirmed that no secondary damage—such as phishing or impersonation—has been documented [1].
Comparative context and potential penalties The breach surpasses the April 2025 SK Telecom leak of 23.2 million users, which resulted in a record fine of 134.8 billion won, highlighting the possible financial and regulatory repercussions for Coupang [3][4]. Ongoing investigations may uncover additional compromised data or lead to further sanctions [5].
Sources (5 articles)
-
[1]
Yonhap: Coupang revises notice to call incident a data breach; police report no secondary damage – Details the Dec 6 revised notice, government‑mandated wording, and police confirmation of no secondary misuse .
-
[2]
Yonhap: Coupang Data Breach Exposes 33.7 Million Users, Investigation Underway – Announces the full scope, timeline, suspect identification and emphasizes that financial data remained safe .
-
[3]
Yonhap: Coupang Data Breach Revealed to Span Five Months, Prompting Government Action – Highlights the five‑month breach period, emergency meeting, CEO apology and comparison to SK Telecom .
-
[4]
Yonhap: Coupang Data Breach Revealed to Span Five Months, Prompting Government Action – Mirrors previous report with focus on breach discovery, suspect details and governmental response .
-
[5]
Yonhap: Coupang data breach exposed 33.7 million customers, company apologizes – Summarizes breach timeline, suspect, CEO apology and notes potential for larger impact beyond current findings .
Timeline
April 2025 – A data leak at SK Telecom exposes personal information of 23.2 million users, prompting South Korea’s regulator to impose a record fine of 134.8 billion won, a benchmark that later frames the severity of the Coupang breach. [3][4][5][6][7]
September 2025 – Lotte Card suffers a breach in which financial details are later confirmed compromised, underscoring growing concerns about the protection of Korean e‑commerce and fintech data. [7]
June 24, 2025 – Unauthorized access to delivery‑related personal data begins on overseas servers, exploiting a vulnerability in Coupang’s server‑verification process. [6][4]
Nov 18, 2025 – Coupang discovers the breach and notifies authorities within two days, initially reporting that about 4,500 customers’ information was affected. [3][5][6][7]
Nov 29, 2025 – Coupang publicly expands the scope, confirming that personal information of 33.7 million customers – nearly its entire user base – has been compromised, and police identify a former Chinese employee as a suspect who has left the country. [6][7]
Nov 30, 2025 – Science Minister Bae Kyung‑hoon convenes an emergency inter‑agency meeting to launch a joint investigation; CEO Park Dae‑jun issues a public apology, pledging stronger data‑protection measures and full cooperation; police reaffirm the suspect’s link to the breach; the company stresses that “payment information, credit‑card numbers and login credentials were not compromised.” [2][3][4][5]
Dec 6, 2025 – Following a government order, Coupang revises its notice to label the incident explicitly as a “data breach,” adds precautionary advice against impersonation or phishing, and reports that police have found “no documented secondary damage” from the leaked data. [1]
All related articles (7 articles)
-
Yonhap: Coupang revises notice to call incident a data breach; police report no secondary damage
-
Yonhap: Coupang Data Breach Exposes 33.7 Million Users, Investigation Underway
-
Yonhap: Coupang Data Breach Revealed to Span Five Months, Prompting Government Action
-
Yonhap: Coupang Data Breach Revealed to Span Five Months, Prompting Government Action
-
Yonhap: Coupang data breach exposed 33.7 million customers, company apologizes
-
Yonhap: Coupang Data Breach Uncovered, 33.7 Million Customers Affected, Suspect Identified
-
Yonhap: Coupang Data Breach Revealed to Span Five Months, Affecting 33.7 Million Customers