A data breach at Coupang that exposed the information of 33.7 million customers has been tied to a former employee who retained access to internal systems after leaving the company.

This was shared by the Seoul Metropolitan Police Agency with local news outlets, following an investigation that included a raid on the firm's offices earlier this week.

Coupang is South Korea's largest online retailer, employing 95,000 people and generating annual revenue of over $30 billion.

On December 1, 2025, the company announced that it had suffered a data breach that exposed the personal data of 33.7 million customers, including names, email addresses, physical addresses, and order information.

The breach occurred on June 24, 2025, but Coupang only discovered it on November 18, when it also launched an internal investigation.

On December 6, Coupang published an update on the incident, assuring its customers that the stolen information had not been leaked anywhere online.

Despite these assurances and the company's claimed full collaboration with the authorities, the police raided the company's offices on Tuesday to collect evidence for an independent investigation.

On Wednesday, the company's CEO, Park Dae-Jun, announced his resignation and apologized to the public for failing to stop what is the country's worst cybersecurity breach in history.

As the police continued their investigations in Coupang's offices for a second day, they uncovered that the primary suspect was a 43-year-old Chinese national who was a former employee of the retail giant.

According to JoongAng, the man, who joined Coupang in November 2022, was assigned to an authentication management system and left the firm in 2024. He is believed to have already left the country.

The Korean news outlet reports that the police were still at Coupang's offices yesterday, gathering records such as internal documents, logs, system records, IP addresses, user credentials, and access histories that could help explain how the rogue former employee gained access to the corporate systems.

The police have stated that, while Coupang is treated as the victim, if negligence or other legal violations are found, the company and employees responsible for protecting customer data may be deemed liable.

In the meantime, the incident has sparked high-volume phishing activity in the country, affecting roughly two-thirds of its population, and the police have received hundreds of reports of Coupang impersonation since the start of the month.