Coupang breach impacted tens of millions of users The personal data of roughly 34 million customers was stolen, with Yonhap reporting 34 million affected and another source noting “more than 33 million” [1][2]. Stolen information included names, addresses, and phone numbers, exposing users to identity‑theft risk. The breach began in June 2025 on overseas servers but was not discovered until December, a five‑month gap that delayed response. Police traced the intrusion to an IP address linked to the perpetrator.

Leak originated on foreign servers and remained hidden Investigators believe the exfiltration started on overseas infrastructure, allowing the data to be siphoned without immediate detection [2]. Coupang only learned of the breach in December, prompting a rapid internal audit and external police involvement. The delayed discovery highlighted gaps in real‑time monitoring and cross‑border data‑security protocols. Authorities are now examining how foreign server usage contributed to the vulnerability.

Former Chinese employee identified as likely perpetrator Police confirmed that a former employee of Chinese nationality, who had already left South Korea, was the primary suspect [1][2]. IP‑address analysis linked the breach to credentials associated with this individual. Investigators continue to track his digital footprints to determine the full scope of the exfiltration. The case underscores insider‑threat risks within multinational e‑commerce firms.

President Lee demands harsher penalties while officials deem current system ineffective At a cabinet meeting on Dec 2, President Lee Jae Myung called for stronger sanctions and a punitive‑damages regime to deter future leaks [1]. He urged ministries to adopt compensation beyond actual losses, mirroring overseas practices. Conversely, Chief of Staff Kang Hoon‑sik described the existing punitive‑damages mechanism as “virtually not functioning,” urging institutional reforms and corporate‑security support [2]. Both leaders emphasized a “paradigm shift” in South Korea’s digital‑security strategy.