A data security incident involving South Korean e-commerce company Coupang was disclosed on December 29, 2025, after a former employee admitted to accessing internal customer records without authorization.
According to the companyβs statement and ongoing legal filings, the individual accessed internal systems after leaving the organization and viewed or copied data linked to approximately 33 million customer accounts. Authorities confirmed that the access was not part of any approved internal activity and is being treated as a criminal violation under South Korean data protection laws.
Coupang stated that the unauthorized access was limited to customer profile information and did not involve payment card data or passwords. However, the company acknowledged that names, contact details, and order-related metadata may have been exposed.
Following the discovery, Coupang initiated a forensic investigation with external cybersecurity firms, reported the incident to regulators, and began notifying affected customers. Law enforcement agencies are continuing their investigation, and no additional suspects have been identified so far.
The company said that access controls and monitoring systems have since been strengthened to prevent similar incidents in the future. The full scope of the data exposure is still under review.