Coupang, one of the most prominent e-commerce platforms in South Korea, experienced an ongoing data breach that persisted for five months. According to Reuters, the organization initially discovered the unauthorized exposure on Nov. 18. Investigations revealed approximately 33.7 million accounts were compromised in South Korea. 

Affected information includes: 

• Names
• Email addresses
• Phone numbers
• Shipping addresses

According to the company, some order histories may have been impacted as well. However, payment data, credit card information, and login credentials were not impacted. 

Security Leaders Weigh In

Nivedita Murthy, Senior Staff Consultant at Black Duck: 

Based on the information provided, it appears malicious actors had unauthorized access to the customer database at Coupang for a while and the company only recently discovered this. South Korea recently overhauled the Personal Information Protection Act (PIPA) which governs and protects personal data collected by both public and private entities. In case of a data breach, the organization is supposed to notify the commission which enforces this act within 24 hours, and in some cases, the affected individuals as well. There is a significant penalty when data is not protected including potential imprisonment. 

Organizations should not only ensure databases are encrypted using strong algorithms and limited access is provided, they should also monitor for any suspicious activity around it and data exfiltration transactions. There are several ecommerce platforms gaining traction in the U.S. and it is certainly possible that if these companies do not protect their databases, they will face similar breaches. Customer data is considered gold in the virtual world as this can be used for just about any type of activity, from possible leads to potential phishing targets. 

Piyush Pandey, CEO at Pathlock:

This breach underscores the importance of organizations incorporating an ‘assume you are breached’ mindset. That means implementing strong detection and privileged-access controls that can flag and terminate malicious activity early — rather than letting attackers maintain months-long persistence, leading to widespread damage.

In today’s threat landscape, success isn’t measured only by how many attacks you block. It’s also measured by how confidently and quickly you can recover when — inevitably — you get hit.