[Alpha Biz= Kim Jisun] SEOUL, South Korea — Feb 5, 2026 — Coupang announced on February 5 that it has identified an additional 165,000 accounts affected by the personal data breach first discovered in November last year. This admission effectively contradicts the company’s previous internal audit, which estimated the number of compromised accounts at just 3,000.

■ Expanded Scope of Data Breach The newly identified leaked information includes names, phone numbers, and addresses from customers' saved address books. In compliance with recommendations from the Personal Information Protection Commission (PIPC), Coupang has begun notifying the affected individuals.

These additional leaks were discovered during an extensive investigation into Coupang’s internal systems and servers by a government-led joint task force.

■ Discrepancy in Internal Audit Results On December 25, 2024, Coupang released an internal report stating that while the intruder had accessed basic information for 33 million accounts, data from only "about 3,000 accounts" had been stored. At the time, Coupang emphasized the reliability of this finding, noting it was conducted by top-tier global cybersecurity firms, including Ernst & Young (EY). However, the latest findings from the joint task force have significantly undermined the credibility of that initial audit.

While Coupang maintains its stance that only 3,000 accounts had their data specifically "stored" by the intruder, industry experts warn this figure may also change as the investigation progresses.

■ Ongoing Investigation and Customer Compensation The government task force continues to analyze the scale of the breach among the 33.7 million potentially exposed accounts, including identifying "invalid accounts" (accounts lacking identifiable personal data). Consequently, the final number of confirmed leaks remains subject to change.

Coupang clarified that sensitive data—such as payment and login credentials, building entrance codes, emails, and order histories—remains secure. The company also emphasized that these are not new incidents but additional findings related to the original November breach.

In a message sent to the newly identified victims, Coupang stated, "We have significantly strengthened our internal monitoring and established a real-time response system. To date, no suspected cases of secondary damage have been detected."

Coupang plans to provide the same level of compensation—including shopping vouchers—to the newly confirmed victims as it did for the previously identified group.

 

 

[ⓒ 알파경제. 무단전재-재배포 금지]