- Trending
- Comments
- Latest
A former Coupang employee exploited retained system access to steal personal data from 37.7 million users over a five-month period, prompting South Korea’s e-commerce giant to announce a $1.17 billion voucher compensation program—one of the largest corporate data breach responses in Asian history.
Seoul police identified a 43-year-old Chinese national who worked at Coupang until 2024 as the primary suspect, revealing the breach persisted from June through November before detection. The incident has already cost Coupang more than 2 million daily active users as customers migrate to rivals like Gmarket and Naver Plus Store.
In response, the company announced it will issue more than $1.17 billion worth of vouchers, with distributions scheduled to begin on Jan. 15, 2026.
At the center of Coupang’s response to the Coupang data breach is a compensation package aimed at restoring user confidence after months of uncertainty.
On Dec. 29, the company said each affected customer will receive vouchers totaling 50,000 won (about $34.87), distributed across four categories covering Coupang Eats, Rocket and Marketplace services, Coupang Travel, and Allux products.
The vouchers will be redeemable through the Coupang app, where users can verify eligibility once the compensation window opens. Altogether, the plan represents a financial commitment of roughly $1.17 billion, underscoring the severity with which the retailer is treating the fallout from the Coupang data breach.
Coupang interim CEO Harold Rogers said the leadership team recognizes the anxiety caused by the incident.
“All of Coupang’s executives and employees are deeply reflecting on how much concern and anxiety the recent personal information leak has caused our customers,” — Harold Rogers, Interim CEO, Coupang.
Rogers added that the voucher program is intended as a concrete step toward accountability and rebuilding trust following the Coupang data breach, which has drawn criticism from consumer groups and heightened attention from regulators.
Authorities have traced the Coupang data breach to an insider threat, according to findings released by the Seoul National Police Agency. Investigators identified a 43-year-old Chinese national, a former Coupang employee who worked at the company between November 2022 and 2024, as the primary suspect.
Police say the individual retained access to internal systems after leaving the company and exploited an electronic coupon key to gain unauthorized entry to Coupang’s servers. The breach persisted for months before detection, allowing large volumes of personal data to be extracted.
Second Vice Minister Ryu Je-myung confirmed that investigators have secured internal documents, access logs, user credential records and IP address histories to reconstruct how the Coupang data breach unfolded.
The case has also prompted warnings from Coupang and authorities about a spike in phishing attempts, including fraudulent text messages and phone calls impersonating the company.
“All of Coupang’s executives and employees are deeply reflecting on how much concern and anxiety the recent personal information leak has caused our customers,” — Harold Rogers, Interim CEO, Coupang.
The repetition of that message, Rogers said, reflects the seriousness with which the company views the Coupang data breach and its obligation to affected users.
Beyond regulatory and security concerns, the Coupang data breach has had measurable commercial consequences. According to Mobile Index data, Coupang’s daily active users fell from 17.99 million before the breach to 15.94 million afterward, as some customers shifted spending to competitors such as Gmarket and Naver Plus Store.
Industry analysts note that the decline highlights how data security incidents can rapidly alter consumer behavior in South Korea’s highly competitive e-commerce sector. Even though sensitive financial information was not exposed, the personal nature of the leaked data has heightened fears of targeted scams and identity misuse.
Coupang has urged users to remain vigilant, advising them to avoid suspicious links and unsolicited communications referencing the Coupang data breach. The company says it is strengthening internal access controls and monitoring systems as investigations continue.
The Coupang data breach stands as one of the largest personal data incidents in South Korea’s digital economy, affecting nearly two-thirds of the population. With compensation set for early 2026 and criminal proceedings underway, the case is likely to influence how regulators and companies address insider risk and long-term data retention practices.
For Coupang, the challenge extends beyond vouchers and public apologies. Sustaining user trust will depend on whether the company can demonstrate lasting improvements in security governance after the Coupang data breach, even as rivals capitalize on temporary shifts in consumer loyalty.
