Home > Business > Industry

Coupang issues new notice to customers regarding data breach

Published: 07 Dec. 2025, 14:40 Updated: 07 Dec. 2025, 18:05

A Coupang delivery truck is seen through a fence in one of the e-commerce company's logistics centers in Seoul on Dec. 7. [YONHAP]

Coupang issued a renewed notice on Sunday after being ordered by a government commission to correctly reference the recent data breach of its service, instead of the previous "data exposure" phrasing that the company first used on Nov. 20.

“There was a past incident involving the leak of customer information,” Coupang said in the notice. “There has not been a new breach, but a follow-up to the notice issued on Nov. 29 to help customers avoid impersonation scams or phishing attempts related to the initial breach.”

A text message containing the same content has been sent to its 33.7 million customers whose data was leaked due to the recent incident .

Coupang had fixed the language used in its notice following a directive from the Personal Information Protection Commission (PIPC) on Wednesday, which instructed Coupang to revise the terminology from "data exposure" to "data leak" and provide clearer information on how to minimize user damage. In an earlier statement, the company referred to the incident as an “exposure” of customer data.

"We promptly reported the incident to authorities as soon as we became aware of the situation," continued Coupang's notice. "We are currently working with relevant government bodies, including the Ministry of Science and ICT, the National Police Agency, the PIPC, the Korea Internet & Security Agency and the Financial Supervisory Service."

This is the first time since the incident occurred that Coupang has officially changed its phrasing from data exposure to leak. Coupang first claimed on Nov. 20 that 4,500 customer data had been exposed, which was criticized for its seeming intention to diminish the scale of the breach and damage. Data exposure and data breach are interpreted differently in the legal sense — the former is an unintentional accident that decreases a company's liability, while the latter is punished with a heavier penalty due to a lack of maintenance efforts.

A Coupang logo is seen in this illustration taken on Feb. 11. [REUTERS/YONHAP]

Sunday's notice comes four days after the PIPC ordered Coupang to change its phrasing and notify customers again. Failure to do so within seven days could have resulted in fines. The renewed notice also contained a new item of data that had been leaked, in addition to the previously acknowledged breaches in names, email addresses and delivery address books: the entry codes for shared residential entrances.

“No [payment] card or bank account numbers, login information such as passwords or personal customs clearance codes were compromised — this has been confirmed multiple times,” the company emphasized, adding that the National Police Agency also stated that a comprehensive investigation has found no evidence so far of secondary damage linked to the leaked data.

Coupang emphasizes that it "immediately blocked the unauthorized access path upon detecting the breach and since strengthened the internal monitoring system," but concerns for secondary damage, including phishing, still remain for consumers. In fact, scammers have been posing as credit card issuers to trick people into calling a number that can remotely install hacking apps onto people's phones.

Park Dae-jun, CEO of Coupang, attends the National Assembly’s Science, ICT, Broadcasting and Communications Committee meeting to be questioned by lawmakers over the company's latest data leak, in western Seoul on Dec. 2. [NEWS1]

The company reminded users that it never asks customers to install apps via phone or text message. “Scammers may impersonate Coupang using smishing or phishing messages — do not click on suspicious links, and delete such messages immediately,” it warned.

The notice also advised caution against fake calls or texts pretending to be related to product reviews, part-time jobs or delivery drivers. “Coupang delivery drivers do not contact customers directly via phone or text, except in exceptional cases involving delivery or returns,” the company said.

However, customers who have saved shared entrance codes in their Coupang delivery address book are advised to change those codes.

“We sincerely apologize for the inconvenience and concern that we have caused,” the company said. “All Coupang employees are working to resolve the issue as quickly as possible.”

The National Assembly is scheduled to hold a Coupang hearing on Dec. 17. Lawmakers are reportedly set on summoning Kim Bom, the de facto owner of Coupang, but his attendance remains unclear.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KIM EUN-BIN, LIM SUN-YOUNG [[email protected]]