Last week, the nation’s President ordered swift action to penalize those responsible for the largest-ever data breach recorded to date.
In what is now one of the largest data breaches in South Korea, a firm based there, Coupang, had on 30 Nov 2025 confirmed that personal data of about 33.7m customers has been breached.
Exposed information includes names, email addresses, phone numbers, delivery addresses, and some order logs. No payment card details and login credentials are said to have been compromised.
This month, on 2 Dec, South Korea’s President had ordered on 2 Dec, swift action to penalize those responsible for the breach. Regulators and lawmakers are now demanding tighter controls on how large platforms manage privileged access and internal credentials, with some calling for a fundamental overhaul of how South Korea’s digital economy handles user data.
Coupang is facing a potential fine of up to 1 trillion won (about US$770m) under South Korea’s Personal Information Protection Act, and multiple class‑action lawsuits are expected.
Direct attack or internal compromise?
According to the firm’s Chief Information Security Officer, Brett Matthes, the attackers had obtained a private encryption key that had allowed them to generate a forged authentication token to impersonate a customer. “This person appears to have had a privileged role within the organization that gave them access to that key,” he said, describing the breach as a compromise of internal authentication mechanisms rather than a direct customer database hack.
The breach has sparked intense public and political backlash, with South Korea’s science minister, Bae Kyung‑hoon, stating that the attacker “exploited authentication vulnerabilities” in the firm’s systems. The government has called an emergency meeting on data security, and is reviewing whether to impose stricter penalties on firms that fail to protect user data.
Security experts warn that the leaked data could fuel targeted phishing and social‑engineering attacks, even if direct account takeovers are limited. Yoo Jin‑ho, an information security professor at Sangmyung University, had noted that while the Coupang data is extensive, widespread cross‑platform account compromise is unlikely because it would require matching IDs, passwords, registered cards, and personal identification numbers across services.
One regional observer, Takanori Nishiyama, SVP (APAC), Keeper Security, commented: “We continue to see the same pattern right across the APAC region, with both internal and external threat actors leveraging compromised or outdated credentials, unrevoked access rights and weaknesses in identity governance.”
