Breach Timeline and Massive Data Exposure Coupang detected unauthorized access on Nov 18 and alerted authorities within two days, initially reporting about 4,500 affected accounts before expanding the figure to 33.7 million customers — nearly its entire user base — whose names, phone numbers, email and delivery addresses were exposed [2][3][4][5]. The intrusion began on June 24, 2025, exploiting overseas servers and remained undetected for months [2][3][4][5]. Payment information, login credentials and customs clearance codes were explicitly excluded from the compromised data set [1][2][3][4][5].

Suspect Identification and Lack of Secondary Damage Police investigations named a former Chinese employee of Coupang, who had left the company and the country, as a primary suspect based on a complaint filed on a Tuesday [2][3][4][5]. Despite the large‑scale exposure, Korean police confirmed no documented cases of secondary damage, such as fraud or phishing, have been linked to the leaked information [1]. The company reiterated that no financial data was compromised, reducing immediate risk to users [2][5].

Government Emergency Meeting and Regulatory Action Science Minister Bae Kyung‑hoon convened an inter‑agency emergency meeting on Nov 30, ordering a joint investigation into possible violations of data‑protection guidelines [2][3][4][5]. Agencies involved include the Ministry of Science and ICT, the Korean National Police Agency, the Personal Information Protection Commission, the Korea Internet & Security Agency and the Financial Supervisory Service [1]. The breach was compared to SK Telecom’s April 2025 leak of 23.2 million users, which resulted in a record fine, underscoring the severity of the incident [3].

Company Response, Revised Notice, and Future Safeguards CEO Park Dae‑jun issued a public apology on Nov 30, pledging to strengthen security measures and fully cooperate with authorities [3][4][5]. Following a government request, Coupang revised its public notice to label the event explicitly as a “data breach” and warned users about potential impersonation or phishing attempts [1]. Ongoing cooperation with multiple regulatory bodies aims to prevent recurrence and protect customer data [1][5].