Coupang CEO Finally Apologizes Over 33.7 Million Customer Data Breach

Coupang founder and CEO Kim Bom-Suk issued his first public apology on Sunday over a data breach that exposed personal information for 33.7 million customers—roughly two-thirds of South Korea's entire population. The apology comes after weeks of intense criticism over the company's handling of what has become the largest e-commerce security incident in Korean history.

"The incident caused great concern and inconvenience to customers and the public," Kim said in his statement. He had previously faced backlash for declining to attend parliamentary hearings on the breach earlier this month.

What Was Exposed

The breach compromised the basics you'd expect from an e-commerce platform: names, phone numbers, email accounts, and delivery addresses. For a platform where 33.7 million people shop, that's a comprehensive dataset of the Korean consumer population.

According to investigations, approximately 3,000 customer records received more detailed exposure, including:

• Full name and contact information
• Order history
• Delivery addresses
• 2,609 building entrance codes

Those entrance codes are a uniquely concerning data point. In Korea's apartment-dominated housing landscape, entrance codes provide physical access to residential buildings. Their exposure creates real-world security implications beyond typical identity theft concerns.

How It Happened

This wasn't a sophisticated external attack. The perpetrator was a former Coupang employee who used stolen access keys to query customer data from overseas servers starting June 24, 2025.

Coupang detected the unauthorized access on November 18 and notified regulators within two days. The company initially reported that roughly 4,500 accounts were affected. The actual scope—33.7 million—emerged later.

Forensic analysis by Mandiant, Palo Alto Networks, and Ernst & Young identified the former employee. Once confronted, the individual confessed and provided details on the access methods used.

According to investigators, the perpetrator accessed basic customer information from 33 million accounts but only saved data from approximately 3,000. This distinction matters for understanding actual exposure, but it doesn't diminish the failure that enabled the access in the first place.

The Fallout

The breach has triggered consequences across multiple domains:

Legal: A securities class action lawsuit has been filed in the US, where Coupang trades on the NYSE. The suit seeks to represent investors who purchased shares between August 6 and December 16, 2025, alleging the company delayed disclosure of the incident.

Regulatory: South Korea's Ministry of Science and ICT expanded its inter-ministerial task force to include the Personal Information Protection Commission, Korea Communications Commission, Fair Trade Commission, and law enforcement. Potential fines could reach $900 million (1.2 trillion KRW).

Political: A National Assembly joint hearing is scheduled for December 30-31, involving six standing committees. Kim's repeated absences from earlier hearings intensified legislative scrutiny.

Leadership: The CEO of Coupang's South Korean e-commerce unit resigned on December 10 as the fallout intensified. South Korean police raided Coupang's Seoul offices the same day.

Why This Breach Matters

Scale alone makes this significant—33.7 million records from a country of 52 million represents penetration levels most breaches don't achieve. But several factors amplify the impact:

Insider threat validation: This wasn't a sophisticated hacking operation. A former employee with retained credentials accessed production databases. The attack surface was trust, and it failed.

Delayed scope disclosure: Coupang's initial 4,500-account estimate versus the eventual 33.7 million figure damaged credibility. Whether this reflects genuine confusion during investigation or deliberate minimization, the gap eroded public trust.

Physical security implications: Building entrance codes aren't just data points—they're access credentials for residential buildings. Their exposure creates risks that go beyond digital identity theft.

Regulatory test case: Korean regulators are treating this as a landmark case for data protection enforcement. The outcome will signal how seriously the country's legal framework treats corporate security failures.

What Coupang Customers Should Do

If you've used Coupang's services:

1. Change your building entrance code if you've had packages delivered and the code was stored in your account
2. Monitor for phishing attempts that reference your Coupang account or order history
3. Be skeptical of unsolicited delivery notifications that could be social engineering attempts
4. Review account activity for any unfamiliar orders or changes
5. Consider the breach notification Coupang may be required to send for additional guidance

The company says it has deleted the leaked data, though how that claim was verified remains unclear. Data that leaves a controlled environment doesn't simply disappear because the source organization says so.

The Bigger Picture

Insider threats account for a significant portion of data breaches, yet organizations consistently underinvest in access controls, monitoring, and offboarding procedures. Coupang's breach is a reminder that the most sophisticated perimeter defenses mean nothing when a former employee retains production access keys.

The December 30-31 hearings will likely produce additional details about how access controls failed and what Coupang knew, when. For now, 33.7 million Koreans are left with their personal data in unknown hands and a belated apology from a CEO who took weeks to acknowledge the severity of what happened.