Coupang, South Korea’s biggest online retailer, apologised on Sunday after a breach exposed personal information from 33.7 million customer accounts, prompting government scrutiny and warnings of follow-on scams.
The US-listed company said the leak involved customers’ names, email addresses, phone numbers, shipping addresses and some order history, but did not include payment details or login credentials.
Coupang said it learnt of the incident on Nov. 18 and reported it to authorities, adding that unauthorised access appeared to have started on June 24 via overseas servers. It said it had blocked the access route and tightened monitoring.
Park Dae-jun, Coupang’s chief executive, said the company was “sincerely sorry” for the inconvenience to customers.
South Korea’s science and ICT ministry said it held an emergency meeting on Sunday and would examine whether Coupang breached rules on personal information protection.
The government-run Korea Internet & Security Agency urged users to be alert for scam calls, texts and emails that may use leaked details.
Police are investigating after Coupang filed a complaint. The Seoul Metropolitan Police Agency’s Cyber Investigation Unit received Coupang’s complaint on Nov. 25, with the suspect listed as an “unidentified individual,” local media reported.
Coupang initially said about 4,500 accounts were affected, before later checks found the breach was far wider, local reports said.
Yonhap also reported that a former Chinese employee was suspected, without citing sources.
Coupang had 24.7 million active users in the third quarter and is often dubbed the “Amazon of South Korea” for its Rocket delivery service.
Even without card or password data, the exposure of addresses and contact details can fuel targeted phishing and delivery-related fraud, and the months-long window raises questions about monitoring.
The incident follows a series of high-profile South Korean data leaks, including Lotte Card’s disclosure in September that nearly 3 million customers were affected, with a subset exposed to data that could be abused for card fraud.