Cyber Incident Victim: Coupang Inc.

The Coupang data breach was discovered on November 18, 2025, according to the company's early December disclosure. Unauthorized access to customer information occurred via overseas servers, with the intrusion period identified as June 24 to November 18, 2025. Approximately 33.7 million customer accounts in South Korea were compromised, representing nearly the entirety of Coupang's domestic user base. A December 15, 2025 SEC filing revealed that a former employee orchestrated the breach, exfiltrating name, phone number, delivery address, and email address data for up to 33 million accounts, along with partial order histories. Company founder Kim Bum-seok confirmed all stolen data was recovered through device seizures from the perpetrator, asserting that only 3,000 data instances were actually leaked without external circulation.

Coupang announced a 1.685 trillion won ($1.17 billion) compensation package on December 31, 2025, distributing 50,000 won ($34.84) vouchers to each affected customer beginning January 15, 2026. This financial commitment represents one of the largest breach-related compensations in e-commerce history relative to company revenue. Interim CEO Harold Rogers framed the response as demonstrating "customer-centricity" and corporate accountability, while simultaneously downplaying the operational impact by emphasizing data recovery and containment. The company maintained that no financial data or passwords were compromised during the incident. No technical details regarding intrusion methods or specific overseas server locations were disclosed in public statements, though the involvement of a former employee suggests potential insider threat vectors.