Data Security, Privacy

South Korea online retailer Coupang breach affects 33.7 million

A stock illustration that represents the concept of e-commerce phishing in pastel orange and cobalt blue, incorporating fake shopping carts and conceptual metaphors of stolen data and false security for an engaging and intuitive understanding of the concept. Utilize soft gradients and layered shadows to create a hint of spatial complexity and priority. --ar 16:9 --v 6.1 Job ID: b12556c8-93ea-4d94-91b3-9ca3f4a58a7b

A massive breach of South Korea online retailer Coupang reportedly compromised 33.7 million customer accounts, potentially affecting 65% of the country’s population of 51.7 million.

South Korean news reports said the investigation is centered around a former employee who recently left the country — although it was not confirmed by local police.

Security pros considered the breach significant because Coupang is often described as "the Amazon of South Korea," a widely used site that the Asian nation's consumers depend on.

It appeared that malicious actors had unauthorized access to the customer database at Coupang since June 2025 — and the company only recently discovered it earlier this month, said Nivedita Murthy, a senior staff consultant at Black Duck.

“Organizations should not only ensure databases are encrypted using strong algorithms and limited access is provided, they should also monitor for any suspicious activity around it and data exfiltration transactions,” said Murthy. “There are several ecommerce platforms gaining traction in the U.S., and it’s certainly possible that if these companies do not protect their databases, they will face similar breaches.”

Noelle Murata, senior security engineer at Xcape, Inc., agreed that a breach like this could happen in the U.S. because 1 in 3 data breaches now involve insiders — and the average cost of an insider incident exceeds $15.4 million.

Murata pointed out that the U.S. regulatory environment differs substantially: all 50 states have breach notification laws, and federal requirements cover the healthcare, financial, and telecom sectors. Finally, U.S. class-action mechanisms create financial exposure that South Korea currently lacks.

“Their presidential chief of staff acknowledged the current punitive damages system is ‘virtually ineffective,’ and civic groups argue that without existential financial risk, corporations will continue treating data protection as secondary,” said Murata. “The Coupang breach underscores that security investment alone is insufficient without operational discipline in offboarding controls, authentication architecture, and detection capabilities.”

Piyush Pandey, chief executive officer at Pathlock, added that this breach underscores the importance of organizations incorporating an “assume breach” mindset. That means implementing strong detection and privileged-access controls that can flag and terminate malicious activity early, rather than letting attackers maintain months-long persistence, leading to widespread damage.

“In today’s world, success isn’t measured only by how many attacks a team can block,” said Pandey. “It’s also measured by how confidently and quickly the team can recover when — inevitably — it gets hit.”

You can skip this ad in 5 seconds