hankyoreh

Choi Woo-hyeok, the director-general of the Ministry of Science and ICT’s Office of Cyber Security and Network Policy, gives a briefing on the findings of a joint public-private investigation into the Coupang customer data breach on Feb. 10, 2026. (Yonhap)

A public-private probe into a massive leak at e-commerce giant Coupang found that in addition to absconding with personal information from 33.67 million accounts, a former Coupang employee also apparently accessed customer shipping address records nearly 150 million times. While there have yet to be any reports of the leak causing secondary damage, there’s no guarantee that the leaked information won’t be put to nefarious uses.

These findings underline the absurdity of Coupang’s earlier claim that the leak had only included information from around 3,000 accounts. It’s time for Coupang to stop lobbying American politicians in an attempt to downplay and misrepresent the leak.

The joint investigation team probing the Coupang situation announced at a briefing on Tuesday that approximately 33.67 million pieces of member information such as names and email addresses were leaked from the site’s personal information editing page over a seven-month period starting in April 2025. 

Additionally, personal information on the company’s “shipping address list page” was accessed 148.06 million times, including names, telephone numbers, shipping addresses, and de-identified passcodes for shared entryways to residential buildings.

The information for third parties who bought items and had them delivered to friends and family was also included in this list. 

Records of shared gate codes for residential buildings — information many feared would be used maliciously by outside actors — were viewed by the suspect 50,474 times, while records for recent purchases were viewed 102,682 times. Thus far, there have been no confirmed cases of this leaked information resulting in any damage. 

While still employed at Coupang, the suspect filched a signing key for the company’s user authentication system and generated fake login tokens necessary for logging in beginning in January of 2025, allowing them to bypass the authentication process. 

In December, immediately after the leak became public, Coupang claimed that the former employee “accessed 33 million accounts, but only retained user data from approximately 3,000 accounts,” attempting to paint the leak as pertaining to information for a few thousand users. 

Under Korea’s standard personal information protection guidelines, a “personal information breach” refers to a state in which personal data, no longer under the management or control of the business entity responsible for it, is able to be accessed by an outside third party. This government-set standard applied to data leaks at SK Telecom and elsewhere. Yet in order to serve its narrative, Coupang has concocted its own standard of what constitutes a data breach. 

While Coupang is a US-listed corporation, it does the lion’s share of its business in Korea, meaning that it should respect Korea’s legal system and customs. Korean businesses that have experienced similar data breaches have cooperated with government probes and implemented adequate remedies and measures to prevent similar incidents from being repeated, and continue to operate normally to this day. 

Yet Coupang has not only shown flagrant disregard for the Korean government’s standards, but has engaged in lobbying of political figures in the US in an attempt to turn this issue into a full-blown trade dispute between Seoul and Washington. This cannot continue. Korean consumers won’t be taken for fools. 

Please direct questions or comments to [english@hani.co.kr]