The fallout continues after a data breach at South Korea’s leading e-commerce platform Coupang exposed the personal information of nearly three-quarters of the Korean population.
Two months after the breach was made public in November, the government and the company are at odds over how to untangle the aftermath. Despite the air of uncertainty, the issue makes one thing clear: Coupang is deeply enmeshed in the nation’s everyday commerce and way of life.
Months of unauthorized access
- Coupang confirms on Nov. 29 that personal data of 33.7 million customers was compromised, including names, emails, phone numbers and delivery addresses
- Ex-employee of Chinese nationality exploited authentication vulnerability in Coupang servers; Access gained without normal login process via overseas servers
- Illicit access went undetected for five months from June to November 2025; weak signing key management, delayed detection cited as key failure
- Only Korean users affected; No breach confirmed in Taiwan
- Taiwan launched biometric passkey login before Korea, prompting accusations of a double standard in security rollout
- Written apology issued one month after disclosure; said he prioritized “action over words,” later admitted a communication failure
- Pledge: cybersecurity overhaul + 1.69 trillion won ($1.2B) compensation package
- Per-user package 50,000 won: 5,000 won each for the main Coupang platform and Coupang Eats and 20,000 won each for Coupang Travel and R.LUX
- Kim keeps skipping hearings, citing prior global business commitments as CEO of a company operating in over 170 countries
- Lawmakers angry over disregard for country generating over 90 percent of revenue
Controversial internal investigation
- Coupang’s claim:
- Former employee accessed data from 33 million accounts, but stored data from only about 3,000 accounts; no data transferred to third parties; no external leak confirmed
- Internal probe results released in cooperation with the National Intelligence Service
- Coupang referred its breach findings to the SEC in an 8-K filing on Dec. 29
- Authorities’ response:
- Science Ministry called it one-sided; police said there was no coordination
- Intelligence agency denied giving orders or approval; disputed Rogers’ testimony on timing and forensic copies
- Privacy regulator urged Coupang to remove its internal-probe notice; Coupang complied on Jan. 20
- Fair Trade Commission: Business suspension possible if remedies are insufficient
- Coupang could face fines of up to 3 percent of average annual revenue, with penalties reaching up to 1 trillion won; lawmakers considering raising the cap to 10 percent
- Still ranks as Korea’s most-used e-commerce platform
- Weekly active users: fell from 29.4 million to 27.7 million from late November to Dec. 28, according to WiseApp Retail Goods
- Daily active users rebound after vouchers: 14.59 million on Dec. 31 to 16.39 million on Jan. 16, according to Mobile Index
- Coupang Inc. is listed on the New York Stock Exchange; stock price slid from $28.16 on Nov. 28 to $19.99 on Jan. 23, down 29 percent
- Investor lawsuit alleges weak cybersecurity and SEC disclosure failures; Korean users file privacy damages claims
- Main competitors in Korea: Naver Plus Store, Market Kurly, Gmarket, SSG.com
- Coupang Inc. has spent over $10 million on US lobbying
- US-side criticism:
- US officials link case to broader concerns over Korea’s digital regulation; claims Korea is discriminating against US tech companies
- Rep. Adrian Smith: Korea “aggressively” targeting US tech firms
- Former security adviser Robert O’Brien: harsh regulation could strain ties; targeting US firms undermines trade rebalancing
- US investment firms: Greenoaks and Altimeter petitioned the USTR, alleging Korea unfairly targeted Coupang in favor of Korean and Chinese companies and calling for Section 301 trade remedies
- Korea’s response:
- Prime Minister Kim Min-seok: talks with US Vice President JD Vance eased tensions, acknowledged legal differences and led to a hotline to prevent misunderstandings
- Trade Minister Yeo Han-koo: met with US lawmakers and USTR officials; explained the probe is domestic law enforcement and should not be framed as a Korea-US dispute
- Korean American civic group: Warned Coupang not to use US lobbying to shield itself; Coupang should not fuel Korea-US conflict for self-interest
- Jun. 24, 2025: Suspected start of unauthorized access via overseas servers
- Nov. 18, 2025: Coupang becomes aware of cybersecurity incident
- Nov. 20, 2025: Reported data leak of 4,500 user accounts to the Personal Information Protection Commission
- Nov. 29, 2025: Coupang publicly discloses breach; scale later confirmed at 33.7 million users
- Dec. 2–3, 2025: Then-CEO Park Dae-jun appears before National Assembly committees
- Dec. 10, 2025: Park Dae-jun resigns; Harold Rogers steps in as new CEO
- Dec. 17, 2025: National Assembly’s Science, ICT, Broadcasting and Communications Committee holds a hearing, with Harold Rogers in attendance
- Dec. 25, 2025: Coupang announces internal probe results, claiming all stored data was recovered with no external transfer
- Dec. 28, 2025: Bom Kim issues public apology
- Dec. 30–31, 2025: Joint parliamentary hearing involving six standing committees held, with Harold Rogers in attendance
