Retail: Coupang Data Breach

Retail and Cybersecurity: A Growing Vulnerability

Retail is one of the fastest-moving digital industries, and that pace comes with a price. Companies handle massive volumes of customer data-names, addresses, phone numbers, payment details, and detailed shopping behavior. This makes the retail sector a prime target for cybercriminals. At the same time, many retail platforms rely on huge operational teams, third-party logistics partners, and complex access systems. When cybersecurity controls fail or access policies are not enforced consistently, attackers can quietly slip in and extract highly valuable personal information. The Coupang incident is a reminder of just how vulnerable retail giants can be, even when they appear modern, trusted, and secure.

Overview

In late November 2025, South Korean e-commerce giant Coupang confirmed one of the country’s largest data breaches in more than a decade. Personal information belonging to about 33.7 million customers was exposed after an attacker gained unauthorized access to internal systems.

While Coupang says no financial data or passwords were leaked, the scale of the incident and the type of information involved have raised major concerns about privacy, security, and the company’s internal controls.

How It Happened

Investigations revealed that the breach likely began on June 24, 2025, when someone accessed Coupang’s systems using login credentials belonging to a former employee. These credentials were not revoked after the employee left the company, leaving a window of opportunity for misuse.

Authorities believe the attacker was able to use this valid identity to quietly explore Coupang’s systems for months. The company did not detect the unauthorized access until November 18, 2025, almost five months later.

During this time, the attacker extracted customer information including names, phone numbers, email addresses, delivery addresses, and portions of order history. Coupang states that no passwords, payment card details, or bank information were involved.

The suspected attacker is believed to be of Chinese nationality and no longer in South Korea, adding complexity to the investigation.

Risks

Even though sensitive financial data wasn’t exposed, the leaked personal information still creates real risks for customers. Stolen names and contact details can be used for scams, social engineering, fake delivery messages, phishing attempts, and identity-theft schemes.

Because the data includes addresses and order information, scammers can craft extremely convincing messages that look legitimate. Authorities have already issued warnings about suspicious calls, texts, or emails referencing Coupang deliveries or account verification.

Beyond individual impact, the breach has triggered regulatory scrutiny. South Korea’s data-protection agencies are investigating whether Coupang violated security requirements or failed to properly manage employee access. The company is also facing early lawsuits from affected users.

Recommendations

If you are a Coupang customer-or simply want to stay safe after this kind of breach-there are a few practical steps you can take.

Monitor any unexpected messages claiming to be from Coupang or a delivery service, especially those asking you to click links or provide personal information. Scammers often rely on urgency or familiarity to trick users, so take a moment to verify before responding.

Changing your Coupang password is wise, even though the company says credentials were not exposed. Using unique passwords for every service remains one of the most effective ways to protect your online accounts.

Be cautious with calls requesting personal information. Legitimate companies rarely ask for full names, addresses, or account details by phone or text.

If you start receiving unusual emails or messages linked to your Coupang activity, report them to the platform and to local authorities. Keeping a close eye on your accounts and communication channels is key until the full impact of the breach becomes clear.