Coupang data leak raises concerns over possible exposure of military information

Delivery trucks are parked at a Coupang logistics center in Seoul, Tuesday. Yonhap

A data breach at Coupang that exposed information from roughly 33.7 million customer accounts has stirred concerns within the Korean military that the detailed delivery records could inadvertently disclose the secret locations of military facilities.

Although no security incidents have been reported, military officials say the breach has renewed scrutiny of how personal parcels are managed on and around military installations.

The issue came to light after reports that some soldiers had entered building numbers, unit names and personal identifiers into the company’s delivery app to ensure accurate drop-offs.

One junior officer said that troops had routinely listed a brigade, battalion and building number, along with names and ranks, because broader addresses often resulted in packages being sent to the wrong location. He added that such information could inadvertently reveal the layout or size of certain facilities.

Military officials, however, emphasized that the Coupang data breach is unlikely to translate into direct security risks. Delivery workers do not enter restricted areas, and detailed base coordinates remain hidden on commercial mapping platforms, they said. They added that many items for enlisted personnel are collected off-base when soldiers are on leave or off duty, reducing the volume of parcels entering secured compounds.

One official said on condition of anonymity that online concerns about widespread exposure were “overstated,” noting that delivery workers cannot access operational zones and that units use standardized numbering systems that reveal little about their missions or force structure.

He added that some posts circulating online reflected isolated practices rather than the norm, and that duty officers conduct checks when necessary.

Another official noted that most deliveries to military units are routed through P.O. boxes and consolidated at guard posts or in administrative offices before being distributed internally, thus obscuring precise locations and preventing outsiders from discerning internal layouts.

“An address alone does not indicate what a unit does or how it is organized,” he said, adding that the military has not identified a need for additional countermeasures.

Despite assurances from the Ministry of National Defense that the exposed addresses are not directly linked to operational security, some argue that seemingly mundane personal data can act as a crucial starting point for sophisticated intelligence operations.

Leaked residential and purchase information of higher-ranking military officials living off base could help pinpoint their residences, opening the door for adversaries to assemble detailed profiles for targeted intelligence gathering.

Nevertheless, cybersecurity experts are downplaying the immediate risk of widespread account breaches.

Yoo Jin-ho, a professor of information systems and security at Sangmyung University, said that the leaked data from Coupang is unlikely to lead to secondary misuse on other platforms because “a breach would require matching IDs, passwords, registered cards and personal identification numbers across services.”

He advised users to enable automatic notifications for any changes made to payment methods or personal information, saying it is the most effective way to ensure a quick response if irregular activity occurs.

Consumer groups have begun gathering applicants for a collective dispute mediation process and are preparing further action. They said that the breach represented a significant lapse in security that affects daily safety, and have urged authorities to examine how sensitive delivery information is stored and managed.

Coupang has acknowledged that delivery addresses and access codes were included in the leaked data, stating that it is cooperating with investigators.