1. south Korea was stolen, and the horror is at your front door
in December 2025, South Korea faced a digital disaster of epic proportions: a whopping 33.7 million personal information records were stolen from the country's largest e-commerce company, Coupang. that's a lot of people, including most of South Korea's working-age population, and it's no exaggeration to say that "the whole country's data was stolen." while we've seen credit card breaches and portal site hacks in the past, this is a different kind of scary. it's not just our online usernames and passwords, but also the 'shipping address' and 'common entrance password' of our homes.
this incident is more than just a hacking incident, it exposes the lack of internal control, the wolfhound response, and the ineffectiveness of legal penalties in our society's data security. this report analyzes the specific triggers and technical causes of the Coupang breach, the company's controversial response, and the future of the astronomical fines and class action lawsuits through domestic and international cases and legal evidence.
2. reconstructing the case: a five-month 'free pass'
2.1. The enemy within, and the key that was left unlocked
at the heart of this case is the fact that it was not a sophisticated hacking attack from the outside, but a "human disaster" caused by poor internal security management. the police investigation revealed that the person responsible for the breach was a 43-year-old Chinese developer, Mr. A, a former employee of Coupang.
He joined Coupang in November 2022, worked on the security key management system, and left the company in late 2023. The problem was that his access to the system was not revoked after he left. Mr. A used his authentication keys (JWT signing keys, etc.) to view and steal internal data from Coupang without authorization for about 5 months after he left the company. this is the equivalent of an employee leaving a company and not returning the office keys, but the company didn't even change the door lock combination, allowing the ex-employee to come in and out of the office at night.
industry observers have noted that "it is a security gap that defies common sense for a security-conscious company to entrust a foreign developer in his second year of employment with key security tasks and not immediately block his access after his departure."
2.2. The details and risks of the breach
the 33.7 million pieces of stolen data included customers' full names, phone numbers, and email addresses, as well as shipping address books and order information. of particular concern are the "common door access numbers" that customers entered to facilitate delivery.
breach itemsrisk Analysis name & phone number can be exploited as targeting data for financial fraud, including voice phishing, smishing, etc email addresses possible secondary hacking attempts, including credential stuffing shipping address possible physical threats such as stalking and home invasions due to exposure of your residence common entrance passwords
possession of access codes written for delivery drivers that can be used by criminals as a way to physically enter your home
order history sensitive personal information that could be used to infer your personal preferences, living patterns, financial resources, etc
while Coupang says that payment information (card numbers, account numbers) and login passwords were not compromised, security experts agree that the information that was compromised is enough to cause secondary and tertiary damage, such as voice phishing and home invasions.
3. how organizations responded: a 'golden opportunity' for trust to be breached
3.1. Controversy over calling a 'leak' an 'exposure'
after the incident, Coupang's initial response was heavily criticized by the public. Coupang initially reported the number of affected cases at around 4,500, but further investigation with the Korea Internet and Security Agency (KISA) revealed that the actual number of affected cases was 33.7 million. the difference between 4,500 and 33.7 million is hardly a simple counting error and raises the suspicion that the company was trying to downplay the impact of the incident.
in addition, Coupang used the term "exposure" in its notification to customers, even though it was a clear "breach" of personal information. "Exposure" is a nuanced term that implies that the information was visible to the outside world but unclear whether it was actually taken, while "breach" is a legal term that acknowledges that information has left the company's control. the Privacy Commissioner called it an "attempt to avoid liability" and ordered the company to change the term to "breach" and resubmit the notice.
3.2. Marketing in the apology? Insincere follow-up
when Coupang shared the second apology and notice on social media, including KakaoTalk, the thumbnail and title of the post were displayed as "Offers and deals recommended by Coupang". when sharing the apology, users criticized the situation, saying, "Are you thinking of selling something even while apologizing?"
the company has also been criticized for appearing to be more concerned with mitigating legal risk than actually remedying harm, as evidenced by the "don't mention compensation" guidelines found in agent manuals, and the fact that customers are only given basic harm prevention tips such as "don't call or text to ask them to install an app.
4. a maze of 'dark patterns': even opting out isn't easy
after the personal information leak, many users felt uneasy and attempted to cancel their membership, or "de-fang." However, the complicated withdrawal process designed by Coupang came under scrutiny. The KFTC decided to investigate this as a "dark pattern" that prevents consumers from making rational choices.
4.1. Coupang's 7-step membership cancellation maze
as experienced by real users, Coupang's membership cancellation process was intentionally designed to be complicated, including
hiding the menu: The 'cancel membership' button was not intuitively located within the mobile app.
Forced switching to the PC version: We made it impossible or very difficult to unsubscribe from the app, forcing users to select "View in PC version" at the bottom of the screen to access the unsubscribe menu.
pressure to give up benefits: For paid memberships (Wow Membership), we repeatedly exposed users to phrases like "Canceling now will cost you ~$1" and "Are you sure you want to give up your benefits?" when they pressed the cancel button.
repeated password entry: Members were asked to re-enter their password multiple times, even though they were logged in under the guise of verifying their identity, causing fatigue.
forced surveys: Users had to complete multiple-choice and essay surveys asking for reasons for leaving before they could move on to the next step.
disruptivebutton colors: The "unsubscribe" button was a dull gray, while the "keep" button was a striking color, creating visual confusion.
this process was criticized by the KFTC as "potentially infringing on consumer rights under the E-Commerce Act," and Coupang said it would "simplify the process."
5. the 1 trillion won fine scenario: legal issues and possibilities
one of the biggest concerns in this case is whether Coupang will be fined "trillions of won".
5.1. Amendments to the Personal Information Protection Act and the criteria for calculating fines
in the past, the maximum amount of fines for personal information leakage was limited to '3% of the sales related to the violation', which allowed companies to reduce the fines by calculating the 'relevant sales' through legal responses. However, the revised Personal Information Protection Act (Article 64(2)) significantly increased the maximum amount of fines to '3% of the total sales'.
given that Coupang's annual sales are estimated to be around KRW 30 trillion to KRW 40 trillion in 2024, the math suggests that the company could be fined up to KRW 1.2 trillion or more. president Lee Jae-myung himself has called for increased sanctions, stating, "We should impose strong sanctions by applying the statutory maximum limit of 3% of sales."
5.2. Realistic constraints and mitigating factors
however, the legal community is divided on whether the KRW 1 trillion fine will actually be imposed. this is because there are reasons to reduce the fine in the Enforcement Decree and Notification of the Personal Information Protection Act.
exclusion of unrelated sales: You can exclude sales that are unrelated to the processing of personal information from the total sales.
mitigatingcircumstances: Fines can be reduced if there was no intent, efforts were made to repair the damage, or financial difficulties (such as losses) can be proven.
coupang is likely to argue that the company was not intentional, emphasizing that this was a "criminal act by a former employee in China." It is also expected to try to reduce the fine by arguing that the information stolen was not sensitive financial information, such as payment information. However, there is a strong counterargument that the scope of the reduction will be limited, given the obvious "breach of technical and administrative safeguards" that failed to detect the unauthorized access for five months, and the scale of the damage, which was national in scope.
6. global benchmarking: How did other countries punish? (GDPR cases)
to gauge the level of punishment in the Coupang case, it's worth looking at how Europe's General Data Protection Regulation (GDPR), the world's strongest privacy regulation, has been applied.
6.1. British Airways: The Cost of Lack of Security
in 2018, British Airways suffered an incident in which its website was tampered with by the hacker collective 'Magecart', redirecting around 500,000 customer traffic to a fraudulent site. This led to the compromise of names, addresses, card numbers, and more.20
initial fine: The UK's Information Commissioner's Office (ICO) initially proposed a fine of £183 million, or 1.5% of British Airways' 2017 global revenue.
final fine: However, the final fine was significantly reduced to £20 million, citing the airline industry's financial difficulties due to COVID-19 and British Airways' active cooperation.
implications: Although the fine was reduced, the ICO still held British Airways accountable, stating that the incident "could have been prevented if sufficient security measures had been put in place (such as multi-factor authentication and file integrity monitoring)." this is very similar to Coupang's "failure to manage leaver authentication keys".
6.2. Marriott case: Acquisition 'legacy' risk
the Marriott Hotel Group only discovered in 2018 that the reservation system of Starwood hotels, which it acquired in 2016, had been hacked since 2014. This led to a breach of 339 million customers worldwide.
security Failure: Hackers installed a remote access trojan (RAT) and took over administrator accounts, which Marriott didn't realize for four years.
penalty: The ICO initially issued a fine of £99 million, but finalized it at £18.4 million, again taking into account the COVID-19 situation and Marriott's subsequent actions.
the takeaway: Coupang's five-month undetection is significant because it highlights the importance of security due diligence in mergers and acquisitions and clarifies a company's liability for prolonged failure to detect.
based on these international examples, it is likely that Coupang will be subject to a realistic mitigating factor rather than the maximum of "3% of turnover," but the willingness of Korean regulators will be a key variable, as the number of victims (33.7 million) far exceeds that of British Airways (500,000) or Marriott (7 million) in the UK.
7. the development of class actions: hitting rocks with eggs?
7.1. Limitations and new developments in domestic litigation
currently, tens of thousands of victims are being recruited as class action plaintiffs through a number of law firms, including Shin & Kim, Hannuri, LKB & Partners, and platforms such as Angry People.
in the past, in domestic personal information leakage lawsuits (Nate, auction, card companies, etc.), the amount of compensation per person was often around 100,000 won, as it was difficult for individuals to prove 'concrete financial damages' caused by the leak.
however, the difference this time is that the 'punitive damages system' can be applied. the Privacy Act provides for up to five times the actual damages if the breach was caused by intent or gross negligence. in addition, some law firms are pursuing a strategy of filing a lawsuit against Coupang Inc. in a U.S. court to utilize the U.S. discovery process.
7.2. Cautions for joining a lawsuit
those considering joining a lawsuit should consider the following points
deposit: Most class action lawsuits are filed on a contingency fee basis, with no deposit, but some law firms may require a small deposit.
litigation duration: This is a long battle that can take at least two to three years and as long as five years to reach the Supreme Court.
the payoff: It's important to realize that even if you win, the amount of damages per person may not be significant. however, the more people involved, the greater the pressure on companies.
8. what you can do: Keep your information to yourself
it's going to be a long time before the Coupang case is resolved. Until the investigation is concluded and fines are finalized, here are some security tips you can take right now to protect your own information.
8.1. Action Plan
change your front door password (first priority): this is the most physically threatening piece of information that was compromised. talk to your building's management or neighbors to change your entry password immediately.
check your two-factor authentication (2FA) settings:
merchants (Sellers): make sure that you have two-step verification enabled when accessing the Coupang Wing system. due to recent security enhancements, access may be blocked without authentication.
regular buyers: Please enable 2-step verification for your linked accounts, such as Naver or Google, and turn on the "Block international logins" feature.
beware of smishing: If you receive a text that says "Courier delivery not possible", "Address unknown", or "Coupang damage compensation information", never click on the link. we will never ask you to install an app or provide personal information outside of the official app.
manage your passwords: It's safe to change not only your Coupang account password, but also all passwords for other sites (email, social media, etc.) that use the same username/password (to avoid credential stuffing).
9. conclusion: an inflection point for a safer digital society
coupang's breach of 33.7 million customers' personal information revealed the reality of South Korea's "security backwardness" behind its title as an "IT powerhouse." While building an innovative rocket delivery system, it proved that the digital curtain to protect its customers' most valuable asset - their personal information - was loose.
discussions of fines that could reach $1 trillion and class action lawsuits should send a strong signal to companies that "invest in security or risk going out of business." governments will have to hold companies accountable through strict enforcement of the law, and companies will have to rebuild broken trust with a bone-crushing overhaul.
and it's time for us as consumers to move beyond convenience and act as "data sovereigns" who monitor how securely companies handle our information.
right now, is your front door secure?