- Coupang breach exposed PII of 33 million customers, sparking watchdog inquiries and lawsuits
- Data stolen includes names, contacts, addresses, and orders; passwords and payment info unaffected
- Attack linked to ex-employee’s active account; 10,000+ join class-action seeking compensation
Coupang, widely considered to be the biggest ecommerce store in South Korea, has confirmed suffered a devastating cyberattack in which it lost personally identifiable information (PII) on 33 million customers.
This appears to be one of the biggest data breaches in the company’s (and the country’s) recent history, sparking data watchdog inquiries, an official apology from the CEO, and a possible class-action lawsuit.
On Sunday, November 30, Coupang CEO Park Dae-joon published a letter on the company’s website, explaining what had happened, and apologizing for the incident. As per the letter, the attack started on June 24, 2025, but was only recently spotted.
Apologies, apologies
During the intrusion, which lasted “until recently”, the unnamed threat actors exfiltrated people’s names, emails, phone numbers, shipping addresses, and specific order information.
While this is more than enough for identity theft, or phishing, Dae-joon stressed that login account information (including customer passwords), payment information, or credit card information, was not stolen.
In the letter, which is roughly ten sentences long, Park Dae-joon apologized three times.
“Coupang will do its best to prevent further damage in close cooperation with the Ministry of Science and ICT, the Personal Information Protection Commission, the Korea Internet & Security Agency, the National Police Agency, and other public-private joint investigation teams,” he added.
At the same time, Reuters reports that 33 million people are affected, and that this may have been the work of a former employee of Chinese origin. The agency cited broadcaster JTBC, and said that this was the result of an internal investigation. Allegedly, the employee’s account was not terminated even after they left the company, and was later used for data exfiltration.
Reuters also said that more than 10,000 people have already expressed interest in joining a class-action lawsuit against the retailer, which could see them paid $68 per person for their loss.
Via Reuters
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
