Most bank robberies in movies involve masks, complex plans, and a getaway car.

They are loud, violent, and fast.

But in late 2025, one of the largest data leaks in South Korea’s history did not need any weapons.

It did not even happen at night.

All it took was one employee, a digital “master key” that should have been destroyed, and a company that wasn’t watching closely enough.

They call Coupang the “Amazon of Korea.”

It is the company that changed how South Koreans live, delivering everything from fresh eggs to new electronics before most people have even had their morning coffee.

It was the unstoppable giant of South Korean business, a fortress of technology and convenience.

But giants fall the hardest.

While Coupang was busy delivering millions of packages at lightning speed, someone was quietly walking out the back door with the personal secrets of half the country.

Coupang wasn’t hacked by a foreign army or a sophisticated cyber-gang; instead, it forget a basic rule of security.

If you give an employee keys to your data, make sure you take the key back when they leave.

The Giant in the Room

To understand why this breach was such a disaster, you first have to understand what Coupang means to South Korea.

For people living in Seoul, Busan, or Incheon, Coupang is not just a website.

It is a utility, like electricity or running water.

South Korea is one of the most connected countries on Earth.

People work long hours, and they expect their services to keep up.

Coupang filled this need perfectly.

Their “Rocket Delivery” service promised that if you ordered something before midnight, it would be at your door by 7:00 AM the next day.

It felt like magic.

Over the years, the company grew into a monster of efficiency. They built massive warehouses, hired thousands of drivers, and created a digital map of the entire country’s shopping habits.

By 2025, nearly every adult in South Korea had a Coupang account.

The app knew where they lived.

It knew their phone numbers.

It knew what size shoes they wore, what brand of diaper they bought for their babies, and what snacks they liked to eat late at night.

The company had become the “Amazon of Korea” not just because it was big, but because it was trusted.

You don’t give your home address and your gate code to a stranger.

You give it to a friend.

Coupang had positioned itself as that helpful, invisible friend.

But as the company grew, the amount of data it held became dangerous.

It was a goldmine of information.

And as any historian will tell you, where there is a goldmine, there are people looking to steal from it.

The problem for Coupang was that the thief was already inside the mine.

The Insider and the Key

The story of the breach centers on a specific role within the company: the software engineer.

These are the architects of the digital world. They build the websites, the apps, and the databases that make the service run.

To do their jobs, they need access.

They need keys.

In the digital world, a “key” isn’t a piece of metal. It is a long string of code, a cryptographic signature. This key allows a computer program to talk to a database.

It says, “I am allowed to be here. Show me the information.”

Sometime before June 2025, a software engineer at Coupang obtained one of these private keys.

This specific key was powerful.

It was designed to generate “session tokens.”

Think of a session token like a wristband at a concert. Once you show your ticket and get the wristband, security stops checking you.

You can walk in and out as much as you want.

The engineer was working on the system that authenticates users. This gave him a unique understanding of how Coupang’s doors locked and unlocked.

When he decided to leave the company, he didn’t just pack up his coffee mug and his photos.

He packed the digital key, too.

This was the first failure.

When an employee leaves a tech company, especially one with access to sensitive data, there is supposed to be a strict “off-boarding” process.

Accounts are shut down.

Passwords are changed.

Keys are rotated or cancelled.

It is the digital equivalent of changing the locks on the office door.

But at Coupang, this didn’t happen.

The engineer walked out of the building, but his digital ghost remained inside.

The Slow Siphon

On June 24, 2025, the theft began.

The attacker, now believed to be operating from China, started using the stolen key.

But he was smart.

He didn’t try to download all the data at once.

If he had tried to grab 33 million records in a single hour, the company’s alarms would have gone off.

It would have looked like a massive spike in traffic, and security teams would have shut it down instantly.

Instead, the attacker moved slowly.

He used the stolen key to create fake user sessions.

To the Coupang system, these looked like normal customers logging in to check their orders or update their profiles.

The attacker programmed his computer to ask for data in small batches.

A few hundred records here.

A few thousand there.

He also covered his tracks by using different IP addresses.

An IP address is like a digital return address; it tells a website where a visitor is coming from.

By constantly changing his digital location, the attacker made the traffic look random and disconnected. It looked like normal activity from regular users all over the world.

This went on for days.

Then weeks.

Then months.

Throughout July, August, September, and October, the data flowed out of Coupang’s servers.

The attacker was patient.

He was siphoning off the lifeblood of the company drop by drop.

The security systems at Coupang were designed to look for “sledgehammer” attacks—big, loud attempts to break in.

They were not tuned to catch a “mosquito” that was quietly drinking its fill.

Critics later called this a “man-made disaster.”

They argued that Coupang’s monitoring was negligent. A simple check of the logs might have shown that one specific key was generating an impossible number of login sessions.

Or someone might have noticed that an employee who quit in June was still “working” in the system in August.

But nobody looked.

The Wake-Up Call

The silence finally broke in mid-November. But it wasn’t Coupang’s security team that broke it.

In late November, Coupang received an email.

It was a threat.

The sender claimed to possess the personal information of millions of customers.

They demanded that Coupang tighten its security, warning that the data was exposed.

Unlike many cyber-criminals, this person did not demand a cash ransom. They demanded attention.

The email triggered a panic inside Coupang headquarters. Engineers scrambled to verify the claim.

They dove into the system logs, the digital diaries that record everything that happens on a server.

What they found was terrifying.

They saw the pattern.

They saw the stolen key.

And they saw the timeline.

They realized that the door had been open since June.

At first, they thought the damage was small. Initial checks suggested about 4,500 accounts had been accessed. That would have been bad, but manageable.

Unfortunately, the attacker had not just visited a few thousand accounts. He had systematically cycled through millions of them.

The final count was staggering: over 33 million accounts.

The number was almost impossible to comprehend. South Korea has a population of about 51 million.

This meant that roughly two out of every three people in the country were victims.

Coupang says no credit card numbers, bank details, or account passwords were exposed, but for most people, that was cold comfort.

Their home lives were laid bare.

The data included names, phone numbers, email addresses, and home addresses.

It included order histories.

It provided an intimate look into the lives of millions of South Korea.

National Security Risks

While the public was angry about spam calls and lost trust, military and intelligence experts were worried about something much darker.

The Coupang data was incredibly precise. Because delivery drivers need to know exactly where to drop a package, the system stores gate codes, building numbers, and specific apartment units. This created a national security nightmare.

Reports emerged that South Korean soldiers often ordered packages directly to their bases.

To ensure the delivery driver could find them, they would enter specific details—like “Battalion 7, Building 3, Room 104.”

When you aggregate millions of these orders, you can start to build a map of secret military facilities.

This reminded security experts of the “Strava” incident a few years earlier. In that case, a fitness app published a “heat map” of where people were running.

It accidentally revealed secret U.S. military bases in the desert because soldiers were jogging around the perimeter with their fitness trackers on.

The Coupang breach poses a similar risk.

If a foreign adversary gets hold of this data, they could see exactly where soldiers are living, where high-ranking commanders sleep at night, and the layout of restricted military zones.

It turns a shopping list into a spy map.

The South Korean military has had to scramble to assess if their base locations have been compromised by something as simple as a delivery order for socks or snacks.

The Absent American and the Sacrificial Lamb

For the average Korean citizen, the news came as a personal betrayal.

People felt exposed.

Internet forums and group chats lit up with anger. Users realized that the strange spam calls and phishing texts they had been receiving over the last few months weren’t random.

They were likely a direct result of their data being sold or used by criminals. “No wonder I’ve been getting so many spam calls,” became a common refrain on social media.

The sheer scale of the breach turned it into a political firestorm.

President Lee Jae-myung called the incident “astonishing” and convened an emergency meeting.

Police launched a criminal investigation, tracking the digital footprints back to China and identifying the former engineer as the prime suspect.

But the anger wasn’t just directed at the thief; it was directed at the leadership. The public wanted heads to roll.

Specifically, they wanted Coupang’s founder, Bom Kim.

In South Korea, people expect the “owner” or founder of a company to act like a captain of a ship.

When the ship hits an iceberg, the captain must stand in front of the passengers and bow his head in shame.

But Bom Kim is a U.S. citizen who spends much of his time in the United States.

He did not appear at the hearings.

To the Korean public, it looked like the captain was hiding safely in America while the ship burned in Seoul.

His absence felt like an insult.

On December 10, 2025, the pressure became too much.

Park Dae-jun, the CEO of Coupang’s Korean operations, officially resigned.

In South Korean corporate culture, this is known as the “sacrificial lamb”—a leader stepping down to satisfy public anger, even if the root problems lie elsewhere. In a statement, Park said he felt a “heavy sense of responsibility” for the incident.

To replace him, the company didn’t hire a local Korean executive.

Instead, the U.S. parent company stepped in.

They appointed Harold Rogers, a top American executive, as the interim CEO.

This move highlighted a fact that many had forgotten: Coupang (CPNG) is actually a U.S. company, listed on the New York Stock Exchange (NYSE).

The American Connection

When the news broke, Coupang’s stock price on the NYSE dropped about 5%. American investors were not happy. They saw a company that had failed to protect its most valuable asset, its customers’ trust.

Worse, the company is now facing scrutiny from the U.S. Securities and Exchange Commission (SEC). U.S. law requires companies to tell their investors about major cyberattacks within four days.

Coupang found the breach on November 18 but didn’t tell the public until November 29. That delay could cost them millions in fines in the U.S., on top of the fines they face in Korea.

By mid-December, legal clouds are gathering on both sides of the Pacific.

In Seoul, over 200,000 people had signed up for class-action lawsuits.

In the U.S., lawyers were preparing a federal lawsuit on behalf of American shareholders who felt they were misled.

Who Pays For This?

If regulators conclude Coupang violated South Korea’s Personal Information Protection Act by failing to put adequate safeguards in place, they can hit the company with a fine of up to 3% of its annual revenue.

Based on Coupang’s recent revenue, that could mean a penalty of more than 1 trillion won—hundreds of millions of dollars.

For a company that only recently started posting consistent profits, a fine anywhere near the upper limit could wipe out a year or more of earnings.

And that’s before you add the cost of class-action settlements, security upgrades, and reputational damage.

The Open Door

Coupang has promised to fix the mess.

Under their new American interim CEO, they have pledged to build higher digital walls and install stronger locks.

They have hired expensive security experts from around the world to audit their systems.

They have apologized to South Koreans, over and over again.

But the users who had their lives exposed know the uncomfortable truth. Security isn’t just about software or firewalls.

It is about people.

It is about the discipline to follow the rules every single day.

The Coupang leak was not caused by a genius hacker who broke an unbreakable code.

It was caused by a simple mistake.

It does not matter how strong the safe is if you leave the key in the pocket of someone walking out the door.

We can change our passwords, but we cannot change our home addresses or our histories. The breach served as a harsh reminder that in the modern world, we don’t truly own our lives; we merely lease them to the companies that make them convenient.