Coupang May Face US SEC Fine Over User Data Breach
- ByStartupStory | December 4, 2025
South Korean E-Commerce Giant Faces Regulatory Scrutiny After Massive Leak Affecting 33M+ Users
Coupang, South Korea’s largest online retailer often dubbed the “Amazon of Korea,” is under intense scrutiny following a massive data breach that exposed personal information of approximately 33.7 million customers—nearly two-thirds of the nation’s population. The incident, detected in mid-November but believed to have started in June, has sparked investigations by South Korean authorities and potential U.S. SEC fines, given Coupang’s NYSE listing and global operations.
Breach Details And Attribution To Ex-Employee
The leak compromised names, email addresses, phone numbers, delivery addresses, and partial order histories for accounts created between 2019 and October 2025. Financial data like credit card details remained secure, but the scale marks South Korea’s worst breach in over a decade, surpassing SK Telecom’s 23 million-user incident earlier this year.
South Korean media reports point to a former Chinese employee exploiting unrevoked server access post-resignation. The individual allegedly accessed domestic servers from overseas, sending threatening emails with stolen data to customers. Coupang notified regulators on November 18 after initial detection in 4,500 cases, revising upward nine days later amid backlash over delayed disclosure.
Regulatory Response And Punitive Damages Risk
President Lee Jae-myung demanded tougher penalties during a cabinet meeting, calling the breach “absurd” and instructing ministries to enforce punitive damages up to five times actual harm under the Personal Information Protection Act. Fines could reach 3% of Coupang’s 38 trillion won ($28 billion) 2024 revenue—over 1 trillion won ($680 million)—if negligence is proven.
The Personal Information Protection Commission formed a joint probe with police, considering ISMS-P certification revocation that qualifies firms for 50% fine reductions. Lawmakers criticized Coupang’s failure to notify financial regulators despite Coupang Pay auto-enrollment risks.
US SEC Implications And Market Reaction
As a U.S.-listed firm (NYSE: CPNG), Coupang faces SEC disclosure requirements under Sarbanes-Oxley. Shares dropped 5% post-announcement, with analysts monitoring Material Weakness risks from delayed reporting. Bloomberg notes this caps a record year for Korean cyber incidents.
Coupang apologized, emphasizing no payment data compromise, and enhanced monitoring while cooperating with authorities. Victims report spam surges, fueling class-action lawsuits seeking 100,000-200,000 won per person.
Broader Context Of Korean Data Security Crisis
2025 breaches hit SK Telecom (134.8 billion won fine), KT, and TeCard, prompting calls for stricter measures. Experts highlight proving actual damages challenges but note secondary harms like phishing risks from exposed addresses/orders.
Coupang’s crisis tests crisis management amid 24.7 million active users and $28 billion revenue, with potential landmark penalties reshaping corporate accountability in Korea’s digital economy.
Follow Startup Story
Related Posts
