Coupang Inc. is confronting a growing backlash over one of the country’s largest data breaches in history, culminating in a newly announced U.S. securities lawsuit that accuses the company of failing to timely inform investors about the cybersecurity incident.
The lawsuit in the U.S. District Court for the Northern District of California targets the company’s stock slide this year. It alleges Coupang’s public statements failed to fully disclose the severity and timing of the breach and its impact on the business. Multiple investor-rights firms are now courting shareholders to join the case and vie to serve as lead plaintiff in litigation that could stretch into 2026.
Coupang Inc. is a New York-listed ecommerce giant often dubbed the “Amazon of South Korea.”
Coupang lawsuit over data breach
The controversy stems from a sprawling cyberattack. Officials now believe it began June 24 but went undetected inside Coupang’s systems for five months. The company said it first learned of irregular activity on Nov. 18. That’s when security tools flagged unauthorized access by a former employee who retained internal access credentials. An initial assessment suggested the breach involved just a few thousand accounts. However, forensic analysis later showed the data breach exposed personal information tied to 33.7 million customer accounts.
The compromised data included:
- Names
- Email addresses
- Phone numbers
- Delivery addresses
- Portions of order histories
Coupang has consistently maintained that login credentials, payment card numbers and other sensitive financial information were not accessed in the breach. It has underscored that point in public statements.
Coupang later said that the attacker technically accessed the database for tens of millions of accounts. However, they retained and stored data from only about 3,000 users and subsequently deleted that information once media coverage of the breach intensified. Company officials have said there’s no evidence the attacker transferred the data to any third party.
Lawsuit contends Coupang understated vulnerabilities
The U.S. lawsuit — one of several investor actions underway — contends that Coupang’s cybersecurity disclosures to the market understated vulnerabilities and delayed investors’ understanding of material risks. It alleges that contributed to losses among shareholders who bought stock between August and mid-December.
Coupang shares slumped sharply in early December amid mounting scrutiny. That erased billions in market value before a partial rebound later in the month on investor optimism that the immediate technical fallout might be limited.
Meanwhile, in South Korea, the breach has triggered intense political pressure. Lawmakers have grilled company representatives in parliamentary hearings, and government agencies are probing whether Coupang violated national data protection laws. Some officials are pushing for tougher penalties on corporate negligence in cybersecurity.
Coupang’s founder, Bom Kim, issued his first public apology for the breach in late December. He acknowledged the “serious concern” Coupang caused and pledged structural investments in stronger defenses. The company also announced a 1.69 trillion won ($1.18 billion) compensation package for South Korean users, offering vouchers to affected account holders — a move that has drawn mixed reactions from consumer advocates and lawmakers.
South Korea’s government has welcomed steps to compensate customers. But critics argue the voucher-based plan falls short of meaningful restitution and could be perceived as a marketing tactic rather than a genuine remediation effort.
The case highlights increasing regulatory and investor scrutiny around corporate cybersecurity practices — particularly how and when major companies disclose breaches under U.S. securities rules. As Coupang navigates concurrent legal, political and market pressures, the episode is likely to reverberate across the technology and retail sectors, underscoring evolving expectations for transparency and risk management in an era of frequent and high-impact cyber threats.
Sign up
Sign up for a complimentary subscription to Digital Commerce 360 B2B News. It covers technology and business trends in the growing B2B ecommerce industry. Contact Mark Brohan, senior vice president of B2B and Market Research, at mark@digitalcommerce360.com. Follow him on Twitter @markbrohan. Follow us on LinkedIn, X (formerly Twitter), Facebook and YouTube.
