Coupang breach affecting 33.7 million users raises data protection questions

Published:

22 december 2025 om 14:00:09

Alert date:

22 december 2025 om 15:02:33

Source:

bleepingcomputer.com

Data Breach & Exfiltration, Enterprise Applications

Coupang disclosed a major data breach affecting 33.7 million customers after unauthorized access to personal data went undetected for nearly five months. The incident highlights insider credential abuse risks and raises questions about data protection practices. Penta Security emphasizes the importance of encrypting customer data beyond legal requirements to reduce exposure and limit damage from such breaches.

Technical details

Data breach affecting 33.7 million customer accounts on South Korea's leading e-commerce platform Coupang. Attackers accessed customer data via overseas servers for nearly five months (June 24 to November 8). Unusual access detected on November 6 at 6:38 PM KST but breach not fully identified until November 18 at 10:52 PM. Exposed data included user names, phone numbers, email addresses, delivery address books, and purchase details. A former Coupang employee identified as prime suspect who retained access keys post-resignation. The leaked information was not subject to mandatory encryption under Korean law.

Mitigation steps:

Implement enterprise-grade encryption solutions even when not legally mandated. Deploy proven encryption solutions from trusted cybersecurity vendors. Use centralized management and effective key management systems. Apply encryption beyond legally mandated data types. Consider column-level selective encryption based on data sensitivity. Implement access control, auditing, and monitoring features.

Affected products:

Coupang e-commerce platform

Related CVE's:

Related threat actors:

Former Coupang employee (insider threat)

IOC's:

This article was created with the assistance of AI technology by Perceptive.