The breach has already had immediate financial consequences: Coupang’s New York-listed stock fell 5% overnight. The company now faces a police investigation, potential fines, and the threat of a class-action lawsuit.
President Lee described the breach as a “wake-up call” for corporate South Korea. Speaking at a cabinet meeting, he expressed shock that Coupang had failed to detect the intrusion for five months, emphasizing that those responsible must be swiftly identified and held accountable.
“The wrong practice and the idea of not giving necessary care for personal data protection, which is a key asset in the age of artificial intelligence and digitalisation, must be completely changed,” Lee said. He instructed regulators to review existing fines and punitive damages in data breach cases to ensure companies take stronger measures to protect customer information.
Under current South Korean law, companies that fail to implement adequate data protection can be fined up to 3% of annual revenue. For Coupang, which reported 38.3 trillion won ($680 million) in revenue in 2024, this could mean a potential fine exceeding 1 trillion won.
How the Breach Occurred
Coupang’s Chief Information Security Officer, Brett Matthes, told a parliamentary hearing that the breach involved a private encryption key, which allowed the perpetrator to create a forged token and impersonate customers. “We do believe that this person, if it is the person, had a privileged role within the organisation that would have given him access to the key that has been taken,” Matthes said.
CEO Park Dae-jun confirmed that a former Coupang engineer involved in developing the company’s authentication system is the primary suspect, though he suggested others may also have been involved. Park did not disclose the individual’s name.
The company has publicly apologised for the incident, but members of parliament have called on Coupang founder Bom Kim, a Korean American entrepreneur who established the company in 2010, to issue a personal apology.
Scale and Implications
The exposed data includes customer names, email addresses, phone numbers, and home addresses. Notably, the number of affected individuals—33 million—far exceeds Coupang’s active user base of 24.7 million, highlighting the scale of the breach.
Reports indicate that the breach first occurred in June, yet Coupang did not notify government authorities until November, raising concerns over delayed disclosure and the company’s internal monitoring systems.
The incident underscores the increasing risks facing companies in South Korea as digitalisation and artificial intelligence become integral to business operations. President Lee’s call for tougher enforcement sends a clear message that lapses in data protection will face severe consequences, both legally and reputationally.