A major data breach at South Korean e-commerce company Coupang has exposed information linked to nearly 34 million customer accounts, with potential implications for cyber aggregation risk for insurers in Asia and for regulatory scrutiny of data protection in South Korea.
According to BBC’s report, Coupang said it first detected unauthorized access to personal data affecting about 4,500 customer accounts on Nov. 18 and reported the incident to the authorities. Subsequent internal investigations indicated that data associated with about 33.7 million customer accounts in South Korea was likely exposed, with the intrusion believed to have begun as early as June via a server located overseas.
According to the company, the exposed data includes customer names, email addresses, mobile phone numbers, shipping addresses, and certain order histories. Coupang said payment card information and login credentials were not compromised, and that those details remain securely protected. Even so, the retailer has asked customers to watch for phishing attempts and other scams that could exploit the leaked contact details.
The number of accounts potentially affected represents more than half of South Korea’s population of roughly 52 million. Coupang, founded in South Korea and headquartered in the US, has said it has nearly 25 million active users in its home market. Authorities have not formally identified a suspect. South Korean media have reported that a former Coupang employee based in China is under suspicion, but regulators and the company have not confirmed this.
South Korea’s internet authority and relevant government ministries have opened investigations into the breach, focusing on the scale of the exposure and whether Coupang met its obligations under domestic data protection and security rules.
The Ministry of Science and ICT said the Personal Information Protection Commission would examine compliance with mandated safeguards under the country’s Personal Information Protection Act. “As the breach involves the contact details and addresses of a large number of citizens, the commission plans to conduct a swift investigation and impose strict sanctions if it finds a violation of the duty to implement safety measures under the Protection Act,” the ministry said in a statement.
Coupang has previously reported cybersecurity incidents, including a breach that affected the data of about 460,000 customers. Local media and commentators have called for stricter sanctions when firms fail to prevent large-scale leaks of personal information, reflecting growing public and regulatory attention on corporate data governance and accountability.
The Coupang incident comes after a series of data breaches involving South Korean corporates across several sectors, which has raised concerns among insurers about correlated losses in cyber and financial lines portfolios. SK Telecom, the country’s largest mobile operator, was previously fined close to US$100 million over a breach involving personal data for more than 20 million subscribers. In a separate event, Lotte Card disclosed in September that information on nearly three million customers had been leaked after a cyberattack targeting the credit card provider.
The recent incidents come as South Korea’s Financial Supervisory Service (FSS) is urging corporates to increase security-related investment. FSS Governor Lee Chan-jin has publicly argued that current spending levels lag international benchmarks and do not match the scale of risk to business continuity. “Looking at these recent incidents, there’s no comparison with the US, and, even compared to the international average, the level of security investment by Korean companies is extremely low. Companies do not fully recognise the risk that a breach of such systems could potentially bankrupt them,” Lee said at his first press briefing since taking office in August, as reported by Korea Times.
Citing data from the Financial Security Institute, Lee noted that Korean corporates on average allocate about 6.4% of their IT budgets to cybersecurity. Financial and insurance institutions typically spend more, around 9.6%, but that is still below the roughly 13% reported at leading international financial institutions and the “20-something percent” reported at some European banks.
Lee said South Korea’s existing laws and regulations do not yet fully reflect the complexity and scale of cyber exposures facing the financial sector. According to the FSS, authorities are preparing legal and supervisory changes that would more clearly connect cybersecurity investment and system safeguards to corporate resilience. These may include stricter requirements for system security, stronger consumer protection measures, and potentially more explicit expectations for board-level accountability.
