Coupang fails to detect data breach affecting over 4,500 customers for 12 days
Published: 21 Nov. 2025, 21:13
![Coupang trucks are seen at a parking lot in Seoul on Nov. 21. The e-commerce company reported a data breach to personal information of around 4,500 customers on Nov. 20. [YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/11/21/5ab12503-1953-416e-8162-39d4fe4c850c.jpg)
Coupang trucks are seen at a parking lot in Seoul on Nov. 21. The e-commerce company reported a data breach to personal information of around 4,500 customers on Nov. 20. [YONHAP]
Coupang failed to detect a data breach that exposed the personal information of more than 4,500 customers for over 10 days, records showed Friday.
Coupang reported that unauthorized access to its user accounts occurred at 6:38 p.m. on Nov. 6, according to an incident report submitted to Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, by the Korea Internet & Security Agency (KISA).
However, the breach was not detected until 10:52 p.m. on Tuesday — 12 days later.
Coupang sent a text message to affected customers on Tuesday stating, “Your personal information was viewed without authorization.”
The delay has drawn criticism, with the company accused not only of failing to detect the breach promptly, but also of failing to inform customers of the exact timing of the breach.
Under Korea’s Act on Promotion of Information and Communications Network Utilization and Information Protection, businesses are required to report data breaches to authorities within 24 hours of discovery. Coupang reported the breach at 9:35 p.m. the following day, which met the legal deadline.
![Coupang trucks are seen at a parking lot in Seoul on Nov. 21. The e-commerce company reported a data breach to personal information of around 4,500 customers on Nov. 20. [YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/11/21/71a33feb-e7d9-493e-94ac-48573e15714c.jpg)
Coupang trucks are seen at a parking lot in Seoul on Nov. 21. The e-commerce company reported a data breach to personal information of around 4,500 customers on Nov. 20. [YONHAP]
The incident report stated that there was “evidence of access to the profiles of 4,536 accounts without valid authentication” and that “initial findings suggest the access was made by exploiting a signed access token.”
Access logs showed that the compromised data included the five most recent orders and entries in the customers’ delivery address books — including names, phone numbers and shipping addresses.
Coupang said the signature key information for the tokens had all been revoked and that it was investigating how the tokens were obtained. The company also said it had enhanced detection rules and expanded monitoring to guard against further unauthorized access attempts.
The Ministry of Science and ICT, KISA and the Personal Information Protection Commission are currently investigating the cause of the breach and the extent of the damage based on Coupang’s report.
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY HYEON YE-SEUL [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)