South Korea’s leading online retailer, Coupang, has announced that personal data from 33.7 million customer accounts were illegally accessed, an incident that regulators say constitutes the largest data breach in the country in more than a decade.

According to the firm, unauthorised access began on 24 June via overseas servers and went unnoticed until 18 November.

Coupang has publicly apologised and pledged cooperation with authorities investigating potential violations of data-protection laws.

Park Dae-jun, the chief executive of the company widely regarded as the Amazon of South Korea, posted a short message on its website saying, “We sincerely apologise once again for causing our customers inconvenience.”

His apology comes as the breach joins a growing line of data leaks at major South Korean firms, including SK Telecom, underscoring a pattern of security failures that has now reached millions of ordinary users.

After convening an emergency meeting on Sunday, the government is now examining whether Coupang breached personal-information safety rules, according to Bae Kyung-hoon, the minister of science and ICT (Information and Communication Technology).

Two separate allegations have emerged as investigators examine how the breach unfolded. Yonhap News Agency reported that a former Chinese employee at Coupang is suspected of involvement, noting that the company filed a complaint with police earlier this month and that authorities are now reviewing the claim, although Yonhap did not disclose its sources.

A separate line of scrutiny, detailed by the local newspaper Chosun Ilbo, points to a broader structural failure inside the firm. According to the report, Coupang’s senior management has increasingly prioritised what critics describe as “political defence” the practice of fortifying the company against regulatory pressure, parliamentary audits and potential fines by recruiting former government officials and building influence networks inside public institutions.

This year alone, Coupang hired at least 18 such officials, even as its basic internal security and monitoring systems were allowed to deteriorate to the point that months of unauthorised access went undetected. Lawmakers quoted in the report argue that a company engineered chiefly to manage government relations rather than protect consumers created the conditions in which such a large-scale breach could unfold in silence.

The leaked information reportedly includes names, email addresses, phone numbers, shipping addresses, and certain order histories, but the company says no payment credentials or login passwords were comprised.