Coupang Suffers Major Data Breach, Exposing 33.7 Million Customers
In a significant cybersecurity incident, South Korea-based e-commerce giant Coupang has disclosed that the personal data of approximately 33.7 million customers has been compromised. The breach occurred in November 2025 when an unidentified threat actor infiltrated Coupang’s IT systems, extracting sensitive information such as customer names, email addresses, phone numbers, shipping details, and specific order history. This incident ranks among the largest cyberattacks in South Korean history and has sparked investigations by local law enforcement agencies as well as the potential for class-action lawsuits from affected customers.
In response, Coupang has proposed a compensation package valued at 1.69 trillion won, equivalent to roughly $1.18 billion. Each affected customer will receive a voucher worth 50,000 won (approximately $34.60), which can only be used for future purchases on Coupang’s platform. This limitation has drawn considerable ire from lawmakers and consumer advocacy groups, who argue that the company is leveraging the situation to bolster its business rather than genuinely compensating victims. Lawmaker Choi Min-hee publicly criticized Coupang’s strategy, describing it as an attempt to monetize a crisis.
Consumer organizations have condemned the settlement as a marketing tactic that undermines the severity of the data breach. The apparent valuation of personal information—equivalent to a typical restaurant meal—has raised questions regarding the ethical implications of such low compensation for affected individuals.
Shortly after the breach, police dispatched a team of 17 investigators to conduct a search at Coupang’s Songpa-gu offices. This investigative measure is aimed at uncovering comprehensive details about the breach, including identifying the perpetrator, the method of data exfiltration, and root causes leading to the incident.
Given the nature of the breach, several adversary tactics outlined in the MITRE ATT&CK framework may have been employed. Initial access tactics could have been implemented through phishing or exploiting vulnerabilities in Coupang’s infrastructure. Techniques for persistence and privilege escalation might have facilitated the unauthorized access to sensitive data over prolonged periods. The implications of this breach underscore the critical need for organizations to invest in robust cybersecurity measures to protect customer data effectively.
As businesses grapple with increasing cyber threats, the Coupang incident serves as a stark reminder of the vulnerabilities inherent in the digital landscape. The fallout from this breach will likely have long-lasting effects on customer trust and regulatory scrutiny, highlighting the importance of transparent and ethical responses to data security failures.
In summary, the Coupang data breach illustrates the multifaceted challenges organizations face in securing sensitive information. The blend of investigative action and legislative criticism surrounding Coupang’s handling of the aftermath offers a significant case study for other businesses aiming to bolster their cybersecurity frameworks.
