The 33.7 Million–Record Personal Data Breach:
We Strongly Condemn the Company’s Opaque Response and Evasion of Responsibility
Not a Simple Accident, but a Collapse of Digital Governance
The personal data breach at Coupang, disclosed in November 2025, is the largest data leak in Korea’s history, affecting 33.7 million accounts—approximately 65% of the population. Names, contact information, addresses, and order histories were repeatedly accessed and stolen without authorization for nearly five months. It has been reported that Coupang became aware of the incident not through its internal detection systems, but through customer reports.
The Korea Transparency Organization views this incident as a structural failure in which multiple issues converged: failure of internal controls, absence of data governance, a mismatch between authority and responsibility in platform companies, and deficiencies in laws and institutions.
Personal data is a fundamental right of citizens and the foundation of corporate trust. Failing to detect the leakage of tens of millions of records over an extended period represents a collapse of basic corporate ethics and responsibility.
Coupang’s Poor Management and Opaque Response
It has been reported that the incident was not caused by external hacking, but was highly likely due to insider access by a former employee. A signing key used during employment was reportedly not revoked after resignation, allowing access to customer data without login authentication. This demonstrates a complete breakdown of basic controls, including revoking former employees’ access rights, enforcing the principle of least privilege, and monitoring logs.
Coupang initially reported 4,500 affected cases, only to revise the figure to over 30 million just 10 days later. The company also attempted to downplay the incident by using the term “exposure” instead of “breach,” failing to demonstrate a responsible attitude.
We view as deeply problematic the failure to detect the ongoing mass leakage over a five-month period; the formalistic operation of ISMS-P certification despite holding it while lacking basic controls; and the extremely low level of security investment, estimated at only about 0.2% of revenue.
This incident was not the result of a single technical error, but a foreseeable man-made disaster caused by management’s lack of awareness and cost-prioritized decision-making.
A Governance Problem: Imbalance Between Authority and Responsibility
Coupang Chairman Bom Kim has maintained a structure in which he exercises enormous control while stepping down as a registered director of the Korean entity, thereby avoiding being at the forefront of domestic legal responsibility.
Although most of the company’s revenue is generated in Korea, major decisions are made through overseas entities, while only domestic management appears when incidents occur. This is a textbook example of asymmetry between authority and responsibility.
Companies that exert significant economic influence within Korea should be subject to the same level of responsibility and effective regulation, regardless of nationality or corporate structure.
Our Demands Regarding This Incident
First, a direct apology and acknowledgment of responsibility by the ultimate controlling individual.
An apology from the head of the Korean subsidiary is insufficient. The Chairman of Coupang must personally explain his responsibility for this incident and present concrete measures to prevent recurrence.
Second, proactive and comprehensive victim relief.
Clear compensation standards and procedures must be presented for all 33.7 million affected individuals. The company must bear the full cost of secondary damage prevention measures, including protection against smishing and phishing, as well as credit information monitoring.
Third, a complete overhaul of personal data governance and security systems.
The independence and authority of the CISO and CPO must be guaranteed at the highest decision-making level. Internal controls—including management of former employees’ access rights, log monitoring, and anomaly detection—must be comprehensively restructured.
Our Demands to the Government, the National Assembly, and Supervisory Authorities
First, impose the strongest possible legal sanctions, including fines of up to 3% of revenue as permitted under the Personal Information Protection Act, to ensure such incidents never happen again.
Second, overhaul the criteria for identifying controlling persons to focus on actual control and domestic revenue rather than nationality, and strengthen regulations on overseas corporations and complex governance structures—such as reinforcing the domestic agent system for platform companies headquartered abroad.
Third, ensure the effectiveness of ISMS-P certification and oversight by moving beyond formalistic audits, mandating external data governance audits for large platforms, and requiring public disclosure of audit results.
Fourth, strengthen collective redress mechanisms to ensure meaningful relief is available in large-scale cases involving personal data damage. The limitations of the current designated-plaintiff system must be addressed, and collective remedies that apply to all victims must be established. In addition, given that punitive damages under the Personal Information Protection Act have not been effective in practice, compensation standards and liability requirements must be reformed to improve their effectiveness.
This incident starkly exposes the weak sense of responsibility for data and ethical standards among Korean digital corporations. Strong and decisive measures must be put in place to prevent the recurrence of such incidents, which have been occurring one after another.
There is no trust without transparency, and no justice without accountability. Coupang, along with the government and the National Assembly, must seize this incident as a turning point to dramatically strengthen corporate accountability and transparency, and to take decisive action toward a digital society in which citizens’ personal data is truly respected.
December 4, 2025
Transparency International, Korea Chapter (TI Korea)
You must be logged in to post a comment.