Coupang data breach: Culprit identified, all customers' leaked data deleted

Recently, one of the biggest online retailers, Coupang, had faced the biggest data leak in its records ever.

South Korean e-commerce giant Coupang said on Thursday, December 25, 2025, that it has identified the person behind a data leak affecting more than 33 million users, a claim the South Korean government has yet to verify as authorities continue their own investigation into the breach.

“According to the investigation so far, the leaker accessed the information of 33 million customers but stored data from only about 3,000 accounts, all of which have since been deleted,” the company said in a statement.

Coupang said the person responsible for the massive data leak was identified as a former employee through forensic analysis, including so-called "digital fingerprints," following an investigation involving cybersecurity firms Mandiant, Palo Alto Networks, and Ernst & Young.

After being identified, the former employee confessed and provided details on how the data was accessed, including the use of stolen access keys,reports Coupang.

The e-commerce company informed that none of the data, which included customer access keys but excluded payment information or other highly sensitive details, was transmitted to third parties.

"The leaker stated that after media reports about the breach, he became extremely nervous and attempted to conceal and destroy evidence," the company added.

The culprit threw a laptop containing part of the leaked data into a river, where it was later recovered by divers based on his description of the location.

Coupang further informed that he also deleted all data stored on a second computer, reports Reuters.

Despite Coupang's announcement, the South Korean government described the company's claims as a "unilateral statement," noting that the findings of the government task force launched after the breach have not yet been released, Yonhap news agency reported.

The South Korean ministry said, “What Coupang claims has not been verified by the Ministry of Science and Technology yet,” and the incident remains under investigation.

Founded in South Korea but incorporated and listed in the United States, Coupang operates the country's largest e-commerce platform, from which it generates most of its revenue.

The company is facing class action lawsuits in both the United States and South Korea over the data breach.

Police have recently carried out raids at its Seoul headquarters, while the South Korean presidency has called for accountability and compensation for those affected.

Additionally, President Lee Jae Myung recently called for tougher penalties against the U.S.-listed firm, citing corporate negligence in what has been described as one of South Korea’s most serious data breaches.