In a significant security incident, Coupang, a leading South Korean e-commerce platform, has encountered a severe data breach that has compromised the personal information of over 33 million customers. On December 25, 2025, the company announced that it had successfully identified the individual responsible for the breach, a former employee. However, the South Korean government has yet to verify this claim, as its authorities continue their investigation.
According to Coupang, preliminary findings suggest that while the leaker accessed data on 33 million users, only approximately 3,000 accounts had their information stored. This sensitive data has since been deleted, the company reported. The investigative process involved collaboration with cybersecurity firms such as Mandiant, Palo Alto Networks, and Ernst & Young to conduct forensic analyses, including the examination of “digital fingerprints.”
The former employee, once identified, admitted to the unauthorized access and elaborated on the techniques used, which reportedly included stolen access keys. This methodology aligns with various tactics detailed in the MITRE ATT&CK framework, particularly under initial access and privilege escalation strategies, which highlight common methods adversaries may utilize when infiltrating organizational networks.
Coupang confirmed that no sensitive data—such as payment information—was passed to third parties. However, the leaked information did encompass customer access keys. Following media reports on the breach, the individual involved reportedly attempted to conceal evidence, including discarding a laptop that contained a portion of the leaked data into a river. This device was later retrieved by divers, following details provided by the presiding employee. Subsequently, the former employee deleted all data stored on an additional computer.
Despite Coupang’s announcements, the South Korean government characterized these claims as a “unilateral statement.” The Ministry of Science and Technology emphasized that its task force, initiated in response to the breach, has yet to finalize its findings. The ministry stated that the claims made by Coupang lack independent verification, and the investigation is ongoing.
Founded in South Korea but publicly traded in the United States, Coupang operates the largest e-commerce platform in the nation, accounting for a significant portion of its revenue. The fallout from this breach has resulted in class action lawsuits in both the U.S. and South Korea, with ongoing scrutiny from regulatory bodies. Recently, police conducted raids at Coupang’s Seoul headquarters, and there have been calls for greater accountability from South Korean officials, including President Lee Jae Myung, who urged stricter penalties against the company for perceived corporate negligence in this serious data breach incident.
As businesses increasingly operate in interconnected digital environments, incidents like the Coupang data breach underscore the critical importance of robust cybersecurity measures. Organizations should review their access controls and incident response protocols to mitigate the risks associated with evolving cyber threats.
