In late November 2025, South Korea’s largest e-commerce firm Coupang announced a major cybersecurity incident that quickly became one of the most significant data breaches in the nation’s history. The breach exposed the personal information of tens of millions of users and triggered widespread regulatory, legal, and public backlash, with developments continuing into early 2026.
What Happened? The Breach and Its Discovery Scope of the Breach Coupang confirmed that personal data linked to approximately 33.7 million customers was compromised. This figure represents nearly two-thirds of South Korea’s population, making it one of the largest personal data exposures in the country’s history.
Type of Data Leaked The exposed information included: • Customer names • Email addresses • Phone numbers • Shipping and delivery addresses • Order history Coupang stated that payment information and login credentials were not accessed during the breach.
Cause Early investigations suggested that the breach may have occurred due to the misuse of an internal access key, possibly one that remained active after an employee had left the company.
Timeline Unauthorized access is believed to have started in June 2025 and remained undetected until November 2025. This nearly five-month detection gap raised serious concerns about Coupang’s internal security monitoring and threat detection systems.
The Compensation Plan — What Coupang Announced To address the fallout, Coupang unveiled an unprecedented customer compensation program valued at approximately 1.685 trillion South Korean won, or $1.2 billion USD, to be distributed in the form of shopping vouchers. What Customers Will Receive • Each affected customer will receive vouchers worth 50,000 won (approximately $34–$35 USD).
• Vouchers will be issued starting January 15, 2026 and can be used across Coupang’s services, including: o Core e-commerce platform o Coupang Eats (food delivery) o Coupang Travel o R.LUX (luxury retail) Accounting Impact According to Coupang’s SEC Form 8-K/A filing, the vouchers will be recorded as reductions in recognized revenue, meaning they may materially affect reported sales figures during the redemption period.
Public and Legal Backlash Strong Public Reaction Despite the scale of the compensation program, consumer groups and the public criticized the approach: • Critics described the voucher system as “marketing disguised as compensation”, arguing that it requires customers to spend more money on Coupang to receive value.
• Consumer rights advocates characterized the plan as insufficient and dismissive, stating it failed to provide true restitution.
Government and Legal Response The incident prompted heightened regulatory scrutiny and political debate in South Korea: • Lawmakers and privacy advocates demanded stronger penalties for companies that fail to safeguard user data.
• Renewed calls emerged to expand class action rights in South Korea, which currently lag behind legal frameworks in the EU and United States.
• Multiple lawsuits were initiated, with plaintiffs seeking compensation amounts exceeding the voucher value.
Further Consequences • Authorities conducted search and seizure operations at Coupang offices as part of the ongoing investigation.
• Regulators reportedly discussed the possibility of temporary business suspensions due to systemic security failures.
• A former employee allegedly attempted to destroy evidence by discarding a company laptop into a river, underscoring the seriousness of the investigation.
Economic and Market Impact In the weeks following public disclosure of the breach: • Card transaction volumes on Coupang declined, suggesting erosion of consumer trust.
• Competing South Korean e-commerce platforms reported increased user engagement, as some customers migrated away from Coupang.