The resignation of Coupang CEO Park Dae-jun marks a stunning conclusion to South Korea’s worst cybersecurity disaster in over a decade.
The e-commerce giant’s data breach exposed 33.7 million customers—nearly two-thirds of the entire country’s population—after hackers operated undetected for five months through overseas servers.
Police have identified a former Chinese employee as the primary suspect, who exploited stolen encryption keys and authentication vulnerabilities to access customer names, phone numbers, email addresses, and delivery information. The suspect fled the country before authorities could make an arrest.
The scale that blindsided an entire nation
The true scope of this disaster emerged gradually, painting a picture of corporate negligence that has left millions vulnerable. Coupang initially reported only 4,500 compromised accounts on Nov. 20, but further investigation revealed the actual number was nearly 7,500 times larger than first believed.
The breach began Jun. 24 and continued undetected until Nov. 18—a five-month window that has prompted President Lee Jae-myung to call the failure “truly astonishing.” Throughout this period, attackers systematically harvested personal data while Coupang’s security systems remained completely blind to the infiltration.
Payment details remained secure, according to company statements, but the exposed information includes everything criminals need for identity theft and targeted phishing campaigns. South Korean authorities have raided Coupang’s headquarters twice recently, searching for evidence about how such extensive unauthorized access could continue unnoticed.
The breach couldn’t have come at a worse time for South Korea’s digital economy ambitions. Just as the government pushes to establish the country as a global AI leader, public trust in data protection has crumbled overnight.
Political firestorm and regulatory reckoning
Political backlash has been swift and devastating, with emergency government meetings convened across multiple agencies. Prime Minister Kim Min-seok warned that strict action would be taken if violations are discovered, while regulatory investigators examine whether Coupang failed to implement required security safeguards.
The country’s data protection watchdog has criticized Coupang for attempting to minimize liability through problematic terms of service and making account cancellation too difficult for concerned users. Such moves suggest desperate corporate attempts to shift responsibility away from fundamental security failures.
Under South Korea’s Personal Information Protection Act, Coupang faces potential fines up to 1 trillion won ($681 million)—roughly 3% of related revenue. This would dwarf the previous record fine of 134.8 billion won imposed on SK Telecom earlier this year for a breach affecting 23.24 million customers.
Harold Rogers has been appointed interim CEO to manage the crisis and attempt to restore public confidence. Rogers inherits a company facing not only regulatory penalties but also a U.S. class-action lawsuit alleging SEC filing violations.
Corporate cybersecurity awakening across Asia
This breach exposes a troubling disconnect between Coupang’s massive revenue and security investment priorities. Despite generating over 41 trillion won annually, the company invested only 89 billion won in cybersecurity this year. Even more concerning, security spending as a percentage of IT investment declined from 7.1% to 5.6% between 2022 and last year.
Such cost-cutting in critical security areas reflects broader corporate attitudes across South Korea’s tech sector, where efficiency often trumps protection. The five-month detection window suggests fundamental weaknesses in monitoring systems that should have caught unauthorized access within days, not months.
The incident has triggered calls for sweeping regulatory reforms, including class-action lawsuit mechanisms and mandatory disclosure requirements. Presidential chief of staff Kang Hoon-sik stated the current punitive damages framework is “virtually ineffective” at deterring corporate negligence.
Coupang’s stock plummeted 16.64% following the breach disclosure, demonstrating how inadequate cybersecurity can devastate shareholder value overnight. The company’s history of repeated data incidents—including breaches in 2021, 2020-2021, and 2023—suggests systemic problems that go beyond any single catastrophic failure.
As governments across Asia recognize that inadequate data protection undermines public trust in digital innovation, companies can expect stricter oversight and penalties that make cybersecurity failures financially existential rather than merely embarrassing.
A fake Leonardo DiCaprio movie torrent is spreading Agent Tesla malware through trusted Windows tools.
