Coupang Said 3,000 Accounts Breached. It Was Actually 33.6 Million

3,000 accounts compromised, Coupang initially claimed. The actual number? 33.6 million – over 10,000 times larger than what South Korea's e-commerce giant first reported. This staggering discrepancy has exposed not just a massive data breach, but a troubling pattern of corporate opacity in the digital age.

The revelation came Tuesday when South Korea's Ministry of Science and ICT released findings from a joint government-private investigation into the November breach. The scale is breathtaking: nearly two-thirds of South Korea's entire population had their personal information exposed.

When Numbers Don't Add Up

The investigation analyzed 25.6 terabytes of web access logs – a digital forensics effort of unprecedented scale in South Korea. What they found painted a disturbing picture: hackers had accessed Coupang's delivery system approximately 148 million times, viewing names, email addresses, phone numbers, and even shared apartment building entrance codes.

Coupang's initial response raises serious questions about corporate transparency. The company knew about the breach at 4 p.m. on November 17 but didn't report it to authorities until 9:35 p.m. on November 19 – 48 hours late and well beyond the legal 24-hour requirement.

"This was apparently a matter of management, not a sophisticated attack," said Choi Woo-hyuk, director general of the ministry's cybersecurity bureau. The hackers exploited vulnerabilities in Coupang's authentication system, forging digital passes to bypass normal security procedures.

The Convenience-Security Trade-off

For millions of South Koreans, Coupang represents the pinnacle of e-commerce convenience – next-day delivery of everything from groceries to electronics. The company's "Rocket Delivery" service has become integral to daily life, especially post-pandemic. But this convenience came with a hidden cost: massive personal data exposure.

The breach's scope extends beyond typical user information. Hackers accessed delivery details including apartment building entrance codes – data that could potentially compromise physical security for millions of households. This highlights how modern e-commerce platforms collect far more sensitive information than traditional retailers ever did.

Coupang maintains that no secondary damage has occurred, arguing that viewing data doesn't necessarily mean stealing it. "The attacker viewed Coupang's website, meaning the attacker just tried to collect personal information linked to 33.7 million accounts," a company official told Yonhap News Agency.

Regulatory Reckoning

The government's response reveals both the strengths and limitations of South Korea's cybersecurity framework. While authorities conducted a thorough technical investigation, the maximum fine for delayed reporting is just 30 million won ($20,560) – pocket change for a company with $24 billion in annual revenue.

This penalty structure raises questions about deterrence effectiveness. Can such modest fines motivate proper cybersecurity practices among tech giants? The investigation also revealed that Coupang failed to preserve crucial evidence, including web access records for five months in 2024.

Global Implications

The Coupang case reflects broader challenges facing regulators worldwide. As e-commerce platforms collect increasingly granular personal data, the potential impact of breaches grows exponentially. The company's U.S. listing adds another layer of complexity, as American investors and regulators may also scrutinize the incident.

Class-action lawsuits have already been filed in U.S. courts, seeking punitive damages. This cross-border legal exposure demonstrates how data breaches in our interconnected world can have far-reaching consequences beyond their country of origin.