A massive data breach at Coupang that exposed personal information tied to 33xman customers has been traced to a former employee who retained access to internal systems after leaving the company, according to South Korean police.
The Seoul Metropolitan Police Agency disclosed the findings to local media after raiding Coupang’s offices earlier this week as part of an independent investigation.
Authorities say the breach ranks as the most serious cybersecurity incident in the country’s history.
Coupang, South Korea’s largest online retailer, employs about 95,000 people and generates annual revenue exceeding $30 bn.
On Dec., the company confirmed that personal data linked to 33.7 mn customers had been compromised. Exposed information included names, email addresses, physical addresses, and order histories.
The intrusion occurred on June 24, 2025, but Coupang said it did not detect the breach until Nov. 18. An internal probe began the same day. On Dec. 6, the company issued an update claiming the stolen data had not surfaced online. That reassurance did little to slow regulatory interest.
Despite Coupang’s statements that it cooperated fully with authorities, police raided the company’s offices to secure evidence. Investigators returned the following day and continued collecting internal records.
On Wednesday, Chief Executive Officer Park Dae-Jun resigned, issuing a public apology and accepting responsibility for failing to prevent the breach.
As the investigation progressed, police identified the primary suspect as a 43-year-old Chinese national who previously worked at Coupang.
According to JoongAng Daily, the man joined the company in November 2022 and was assigned to authentication management systems. He left the firm in 2024 but allegedly retained access credentials. Authorities believe he has already left South Korea.
Police seized internal documents, system logs, access histories, internet protocol records, and user credential data to determine how access controls failed and how the former employee entered corporate systems after departure.
Investigators said Coupang is currently treated as the victim in the case. Still, they warned that if negligence or legal violations emerge, the company and staff responsible for safeguarding customer data could face liability.
The breach triggered immediate fallout beyond the retailer. Police report a surge in phishing attacks nationwide, with impersonation campaigns affecting roughly two-thirds of the population.
Since the start of the month, authorities have logged hundreds of reports involving fake Coupang messages and fraudulent outreach.
According to Beinsure analysts, the case highlights a persistent weakness in corporate cybersecurity. Access management failures tied to departing employees remain one of the most common and costly risks, especially at scale.
