Coupang Breach Exposes Data of Nearly 34 Million Customers

South Korea is facing one of its largest-ever data incidents after Coupang — often called the country’s Amazon — confirmed a breach that potentially exposed the personal details of 33.7 million customer accounts. 

The retailer initially believed only a few thousand users were affected, but an internal investigation revealed a larger compromise.

“As the breach involves the contact details and addresses of a large number of citizens, the Commission plans to conduct a swift investigation and impose strict sanctions if it finds a violation of the duty to implement safety measures under the Protection Act,” the Ministry of Science and ICT stated, as reported by The Record.

No Payment Data Stolen, but PII Exposure Still High-Risk

Coupang said the exposed data includes names, email addresses, phone numbers, postal addresses, and order histories. No payment information or login credentials were compromised, according to the company. 

Investigators believe unauthorized access may have begun as early as June, routed through an overseas server.

South Korean media outlets also reported that the breach may be tied to a former Coupang employee, with police analyzing server logs and tracking IP activity related to the event. 

Authorities are still determining whether the individual also sent a threatening email to the company regarding the leak.

Trusted Access Is Becoming the New Security Blind Spot

Unlike earlier large-scale breaches involving malware or exploit chains, early indicators suggest this incident may stem from insider misuse or unauthorized internal access, rather than technical exploitation. 

This aligns with a growing global trend: even when perimeter controls are strong, credentialed access — especially from trusted roles — remains a high-risk blind spot.

Because Coupang is integrated into daily life in South Korea through its Rocket Delivery service, the exposed data provides a rich dataset for phishing, impersonation, and targeted scams. 

Government agencies have warned that threat actors may attempt to leverage this information to impersonate Coupang support, delivery personnel, or billing operations.

South Korea has experienced a series of similar incidents in recent months, including breaches affecting 27 million SK Telecom users and 3 million Lotte Card customers. 

The recurrence is pushing regulators to reevaluate systemic weaknesses in the country’s data protection frameworks.

How to Strengthen Defenses Against Insider Threats

Insider-driven breaches and misuse of elevated access remain some of the hardest threats for organizations to detect — and the consequences can escalate quickly when sensitive customer data is involved. 

Organizations should leverage a layered approach including the following:

• Audit privileged and administrative access, especially for departing employees or contractors.
• Strengthen monitoring of high-value internal systems, including alerting for unusual access patterns, off-hours activity, or large-scale data pulls.
• Ensure insider threat detection tools are fully enabled, including behavioral baselining and anomaly detection.
• Review data minimization practices so order history, address data, and customer metadata are not unnecessarily retained.
• Educate customers and support teams to recognize impersonation attempts following large breaches.

As external attackers and disgruntled insiders increasingly target privileged accounts, security teams need tighter visibility, stronger monitoring, and clearer oversight for high-risk users.

When One Account Becomes a Company’s Biggest Liability

Coupang’s breach has quickly become a national flashpoint in South Korea, with lawmakers arguing that existing corporate penalties are too weak to deter negligent data-protection practices. 

The presidential office even described the current enforcement regime as “not functioning,” pointing to structural gaps in how organizations store, secure, and audit massive volumes of consumer data.

The incident also highlights a broader global trend: insider risk — whether malicious, careless, or compromised — is one of the hardest security challenges to detect at scale. 

In hyperscale e-commerce environments, where millions of records move through complex systems each day, even a single privileged account can become a critical point of failure. 

As organizations expand their digital footprints, strengthening internal controls and monitoring becomes just as important as defending against external attackers.

This is why many organizations turn to zero-trust implementations, where no user or system is inherently trusted and every interaction must be continuously verified.