Personal information of Coupang customers who entrusted their daily lives to "Rocket Delivery" has become compromised on a global scale. A former Coupang employee conducted prolonged unauthorized access and leaked customer data.
The government recently announced that approximately 33.67 million account records were exposed following a joint public-private investigation. The attacker viewed customer information pages, including delivery address lists, more than 100 million times. Evidence confirmed that some data was extracted externally. Beyond simple account information leaks, concerns have emerged about potential exposure of addresses, contact details, order histories, and even access codes such as apartment building entrance passwords. The incident has evolved from a "platform security breach" into a matter of "personal safety."
Former Employee Viewed 100 Million Customer Records Over Seven Months
On November 16 last year, Coupang received an email from a former employee claiming to have leaked personal information. The company reported this to its Chief Information Security Officer the following afternoon. While the Information and Communications Network Act requires reporting security incidents within 24 hours of discovery, Coupang filed a report with the Korea Internet & Security Agency on November 19—past the deadline—stating that information from 4,536 accounts had been leaked.
According to the government investigation, the attacks continued for approximately seven months starting in April 2025. The attacker exploited authentication vulnerabilities in Coupang's servers to access user accounts without proper login procedures. Under normal circumstances, users receive a type of "electronic pass" after logging in, which Coupang then verifies. However, the attacker stole signing keys from the user authentication system managed during their employment to forge these "electronic passes," thereby penetrating Coupang's authentication framework. The joint investigation team found that Coupang lacked procedures to verify the authenticity of these electronic passes.
The leaked information essentially encompasses nearly all data customers provided to Coupang. Beyond account information, the attacker accessed "my information" sections, delivery address lists, and order histories—data directly connected to customers' daily lives. Delivery addresses often include saved addresses of family members and acquaintances. Combined with information such as apartment building entrance passwords, online breaches could translate into offline physical risks. This demonstrates that data held by platform companies constitutes not merely "membership information" but "life maps."
Former Employee Had Free Access to Information; Negligent Management Under Scrutiny
Coupang's post-incident response has also come under criticism. Despite a government order to preserve data for investigating the incident's cause, some access logs were found to have been deleted. The government stated that several months of web access records and portions of app access records were not preserved. This matter extends beyond simple management negligence to potential obstruction of investigation, prompting the government to request a criminal probe. Meanwhile, the National Assembly recently passed an amendment to the Personal Information Protection Act. The revision allows penalties of up to 10% of total revenue for intentional, grossly negligent, or repeated large-scale personal information breaches. Previously, penalties were capped at 3% of total revenue.
In response to the government's position, Coupang stated it shared results from its own investigation with the joint investigation team and the Personal Information Protection Commission. Coupang Inc. said, "The information accessed by the former employee was limited to names, emails, phone numbers, delivery addresses, limited order histories, and some building entrance codes." The company added, "No highly sensitive information was accessed, including payment information, financial information, user IDs and passwords, or identification documents."