Although the latest and possibly most significant breach of the year did not stem from a British company or even a British entity, the breach suffered by South Korea's Coupang is still one which should be respected and learnt from. An international and national online retailer, Coupang has been deemed South Korea's Amazon which makes the data breach they suffered at the end of last year one of the most significant in 2025.
In this blog, we’ll look at what happened as well as what other organisations can learn from how Coupang responded to the incident.
Who Are Coupang?
On November 14, 2025, the first disturbances were noted. Abnormal activity, including access to users' profiles and documents, was detected, marking the start of the breach that would continue. On November 18, confirmation of the breach was published, and this was followed by the resignation of the CEO of the Coupang South Korean entity. Since then, it has been confirmed that the personal identifiable information of potentially up to 34 million individuals was breached, with reports indicating that this accounts for up to two-thirds of the entire South Korean adult population.
It has since been revealed that the threat actor in this case was an employee who gained unauthorised access. The company has refused to respond to any further questions but has released that details of 3,000 accounts were found on the employee's laptop, and all other devices have been seized.
Investigations were launched immediately by Coupang itself, as well as the Personal Information Protection Commission. It was discovered that names, phone numbers, delivery addresses, including apartment access codes and other sensitive data were breached. The National Assembly has condemned the founder of Coupang for refusing to testify at parliamentary hearings regarding the breach, with members of the National Assembly criticising the company's response and actions in the wake of the breach.
Coupang’s Media Response
Coupang released another statement in mid-December, detailing their compensation plans, which included a voucher to be used at any of Coupang's subsidiary entities, equivalent to £25 for each individual affected.
The public and the government's response to the breach and the handling of the incident are ones to be studied and not repeated. Coupang released their statement regarding the breach and then the public saw an unsteady internal client within the company, with the CEO stepping down, the founder not testifying, the CEO of the American entity not promptly showing his empathy and respect for the millions of individuals who were add risk, along with a scramble to find an interim CEO amongst the chaos of internal and external investigations. Reports are now saying that Coupang's shares have dropped by 1/3 of their value before the incident.
What Should be Taken Away From This Incident?
- Have incident response plans in place which are effective and cover all areas of breaches
- Have press release plans
- Have secure internal and external security to ensure no unauthorised access to systems, which includes the ability to save clients' personal data
- Ensure key stakeholders are aware of these plans and can manage the fallout
The aim of working with a cybersecurity company that can offer end-to-end protection is to prevent data breaches. However, in the instances when they do happen, it is to minimise the fallout and learn from the incident.
Bridewell prides itself on providing a comprehensive experience when offering our consulting services. This means we consider the local and global landscape of both the business area you are in and the public's perception of that business area. Public opinion and confidence are among the top priorities when handling any data privacy-related work, but most importantly when handling a breach.
Emily Jenkins
Academy Data Privacy Consultant
