Design Highlights
- The data breach exposed 33.67 million user records, affecting over two-thirds of South Korea’s population, highlighting severe management failures at Coupang.
- Unauthorized access persisted for seven months due to internal security flaws, indicating a lack of oversight and negligence by management.
- Despite public backlash, Coupang delayed breach disclosure until after the main leak was detected, sparking criticism over their handling of the situation.
- The incident prompted legal actions and government intervention, with calls for tough penalties against Coupang for their data protection failures.
- Concerns over the breach have strained South Korea-U.S. relations and led to increased scrutiny of corporate data security practices nationwide.
South Korea is fuming, and it’s hard to blame them. A staggering 33.67 million user records have been compromised, including names, email addresses, and delivery addresses. Yes, you heard that right—over two-thirds of the South Korean population has been affected by a massive data leak from Coupang. This isn’t just a little hiccup; it’s a nightmare unfolding in real-time.
Over two-thirds of South Korea is in uproar after a massive 33.67 million user records leak from Coupang.
The breach, which saw its main leak detected in late November 2025, was actually a slow burn that happened between April and November of that year. Seven whole months of abnormal activity went undetected. Talk about negligence!
The culprit? A former Coupang software developer with a penchant for mischief. This individual had access to the user authentication system and cleverly forged internal access keys like a magician pulling bunnies out of hats. Using automated tools to scrape data, they exploited a glaring flaw in Coupang’s internal credential management. Flaws in internal credential management enabled prolonged unauthorized access, allowing the former employee to retain control even after their departure.
They retained access even after leaving the company because, surprise surprise, the keys were never revoked. The whole situation reeks of management meltdown rather than some high-tech hacking extravaganza.
And what did Coupang do in response? They disclosed the breach only after the main leak was unearthed, confirming that 33.7 million accounts were at risk. They even notified an additional 165,000 users later, as if that made everything okay. In the aftermath, Coupang has faced ongoing backlash from the public due to their handling of the situation.
Sure, payment details and login info were safe, but the contact details—names, phone numbers, and addresses—were out there for anyone to snatch. The backlash was swift and brutal. Public outcry, lawsuits, and even a tax audit followed. How’s that for a PR disaster?
The South Korean government isn’t taking this lying down either. The Ministry of Science and ICT has launched a joint probe, and President Lee Jae Myung has been vocal about imposing tough penalties. Legal violations and evidence protection failures were discovered. Business owners must also consider how key employee disability insurance can protect against unexpected losses when critical personnel are compromised.
It’s a mess, to put it mildly. The government has called this breach the worst in South Korean history, shaking ties with the U.S. and triggering all sorts of police and regulatory investigations.
