Coupang’s massive data breach undercuts national security certification

Home > Opinion > Editorials

Coupang’s massive data breach undercuts national security certification

Published: 01 Dec. 2025, 00:00

Audio report: written by reporters, read by AI

Coupang CEO Park Dae-joon issues a public apology as he leaves an emergency meeting of relevant ministries on the data leak at the Seoul Government Complex on Nov. 30. [JOINT PRESS CORPS]

Coupang, Korea’s largest e-commerce platform, disclosed a major data leak last week affecting 33.7 million customer accounts. The scale surpasses the breach at SK Telecom, which affected 23.24 million people and resulted in the largest fine ever imposed for violations of personal information protection. It is comparable to the 2011 hacking incident that exposed data from 35 million Cyworld and Nate users.

The leaked information includes customer names, email addresses, delivery addresses and phone numbers. Coupang says payment information, credit card numbers and login credentials were not compromised, and that customers need not take separate action. Still, the scale of the breach has left users uneasy. The company had reported only 4,500 affected accounts nine days earlier, a figure that turned out to be 7,500 times smaller than the actual number. Customers are advised to avoid phone calls or messages impersonating Coupang.

Unlike past data leaks at telecom companies, which were typically caused by hacking, this case may involve a former employee from China. Investigators suspect he extracted customer data over five months without the company noticing. If true, the incident exposes serious flaws in Coupang’s internal controls and access management. Since 2020, the company has suffered four data breaches and been fined a total of 1.5 billion won ($1.02 million). Each time, it pledged to prevent recurrence, yet the assurances proved empty. The company must explain why similar failures continue and present convincing remedies.

Coupang obtained the ISMS-P certification — the country’s only government-run information security and personal data protection framework — in both 2021 and 2024. Yet, breaches continued. Since the Personal Information Protection Commission was elevated to the Cabinet level in 2020, 34 data leaks have occurred at 27 ISMS-P certified companies. These numbers have fueled criticism that a national certification is meaningless if it cannot prevent major breaches. The government must reconsider whether the ISMS-P system should be strengthened or replaced.

Coupang employs around 100,000 people in Korea, placing it just behind the four major conglomerates. Despite contributing significantly to job creation, it has faced repeated controversy, including labor disputes involving delivery workers, conditions at logistics centers and allegations of external pressure related to unpaid severance at Coupang Fulfillment Services. The latest leak adds yet another mark on the company’s reputation, raising fresh questions about oversight at one of Korea’s largest platform firms.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.