Cyber Incident Victim: Coupang Inc.

In November 2025 Coupang disclosed that a former employee had stolen an internal security key, which enabled unauthorized access to personal data from 33.7 million user accounts, and the company said the breach was discovered on November 18 2025. The compromised information included names, phone numbers, delivery addresses, email addresses and certain order histories, while payment data, login credentials and individual customs numbers were not accessed according to Coupang’s statements. In a follow‑up announcement on February 5 2026 Coupang confirmed that an additional 165,000 users were affected by the same incident, bringing the total disclosed impact to roughly 34 million individuals. To address the breach Coupang said it would provide purchase vouchers worth 50,000 South Korean won each to 34 million users, amounting to 1.69 trillion won or approximately $1.17 billion in compensation, with eligibility checks to begin on January 15 2026. The company also reported that it had recovered all leaked customer information through cooperation with authorities and that the suspect’s computer contained only about 3,000 records, which were not distributed or sold externally. In the wake of the disclosure Coupang’s logistics arm announced in mid‑December 2025 that full‑time workers at major fulfillment centers could apply for unpaid leave, and more than 5,000 employees accepted the offer over the following month; hiring slowed sharply with about 1,400 fewer workers hired in December compared to the previous month, resulting in a workforce reduction of roughly 6,400 logistics staff over that period. Concurrently Coupang’s daily active users fell to 14.8 million by late December 2025, a decline of 17.7 percent from early in the month, and payment volume dropped 7.7 percent between the first week of November and the third week of December, while rival platforms such as SSG.com and Market Kurly reportedly saw order increases of 10 to 15 percent following the breach.

South Korean police raided Coupang’s Seoul headquarters, tax authorities launched a special audit, and the National Assembly summoned executives for questioning after the breach was made public. Coupang founder Bom Kim declined to travel to Korea for the hearings, citing his role as a global chief executive, and Korean police requested that immigration authorities notify them if he entered the country. Korean regulators indicated they could potentially impose financial penalties, noting that under existing law fines could reach up to three percent of revenue and that legislators had introduced a bill to raise the maximum to ten percent for major data breaches. Coupang filed a Form 8‑K with the U.S. Securities and Exchange Commission on December 16 2025, stating that it had activated incident‑response procedures, blocked the threat actor’s access, reported the matter to Korean regulators and law enforcement, and notified affected customers. In December 2025 two U.S. investor‑rights law firms filed class‑action lawsuits in the Northern District of California on behalf of shareholders who bought Coupang stock between August 6 and December 16 2025, alleging false and misleading statements, inadequate cybersecurity controls, and failure to file a timely 8‑K report; the lawsuits named Bom Kim, CFO Gaurav Anand and Coupang Inc. as defendants. Separately, five U.S. investment firms holding Coupang shares announced their intent to pursue arbitration against South Korea under the U.S.–Korea free trade agreement, claiming the Korean government’s enforcement response was disproportionate. The political fallout extended to the United States‑South Korea alliance, with South Korean officials saying the breach had shaken ties and U.S. lawmakers accusing Seoul of discriminatory actions against American companies; the Trump administration reportedly linked its decision to raise tariffs on South Korean goods from 15 percent to 25 percent to the Coupang matter and other issues, and a scheduled visit by a U.S. delegation was postponed. Coupang increased its lobbying expenditures in Washington, spending over $3 million in 2025 and doubling its first‑quarter 2026 outlay compared to the same period in 2025, with contacts extending to the White House and the vice‑president’s office. Market reactions included an initial stock price decline after the breach disclosure, followed by a relief rally in late December 2025 when Coupang clarified that the former employee had retained data from only about 3,000 accounts, which drove the share price up roughly 9 percent on December 26 2025; analyst consensus at that time cited a Strong Buy rating with average 12‑month price targets in the mid‑30s dollar range. The company noted that it could not reasonably estimate potential losses from remediation, regulatory penalties or litigation, but warned that the incident could lead to potentially material financial losses even though operations were not materially disrupted.