Police Say Coupang Breach Impacts Over 30 Million Users, CEO Faces Arrest Threat

Updated 2026-01-26 06:19:16+00:00 (102 articles)

Police Estimate Breach Affects Over 30 Million Accounts Seoul Metropolitan Police Agency announced that data from more than 30 million Coupang accounts appears to have been stolen, a figure far exceeding the company’s internal estimate and prompting a full criminal investigation [1]. The agency’s head, Park Jeong‑bo, said authorities will verify whether Coupang downplayed the incident’s magnitude. Police are coordinating the probe with multiple regulatory bodies to assess potential penalties.

Coupang’s Internal Report Limits Impact to 3,000 Records In a December 25 statement, Coupang claimed a former employee accessed personal information of 33 million users but retained data for only about 3,000 accounts [1]. This stark contrast between the police’s >30 million estimate and the company’s 3,000‑record figure has become a focal point of the inquiry. Investigators are reviewing internal logs and communications to determine the true scope of the leak.

Interim CEO Harold Rogers Missed Two Police Summonses Interim CEO Harold Rogers failed to appear at police summonses on Jan. 5 and Jan. 14, leading officials to issue a third notice and warn that an arrest warrant could follow after three missed appearances [1]. Police explained that a warrant would be considered under standard procedure if Rogers continues to ignore summonses. The non‑compliance adds legal pressure to the ongoing data‑security case.

International Pressure Builds as U.S. Investors Seek Arbitration U.S. investors Greenoaks Capital Partners and Altimeter Capital filed notices to arbitrate under the Korea‑U.S. free‑trade agreement and urged the USTR to investigate Seoul’s handling of the breach, citing “unreasonable and discriminatory” actions [4][8]. South Korean trade minister Yeo Han‑koo asked the United States to treat the probe separately from broader trade issues, while Prime Minister Kim Min‑seok denied any discrimination against Coupang [2][5][7]. The investors’ move intensifies diplomatic scrutiny of Korea’s regulatory response.

Sources (11 articles)

Timeline

Jun 24, 2025 – Unauthorized access to delivery‑related personal data begins on overseas servers, later identified as the start of the massive breach that eventually exposes over 30 million South Korean customers[35].

Nov 18, 2025 – Coupang discovers the breach and notifies authorities within two days, initially reporting only about 4,500 compromised accounts[36].

Nov 30, 2025 – Science Minister Bae Kyung‑hoon convenes an emergency inter‑agency meeting; Coupang confirms that personal information of 33.7 million users was exposed, while payment data remains safe, and CEO Park Dae‑jun issues a public apology[35][38].

Dec 4, 2025 – The Personal Information Protection Commission (PIPC) warns it may impose a record fine of up to 1.2 trillion won for the breach, and the Korea Media Communications Commission (KMCC) launches a fact‑finding probe into Coupang’s complex account‑deletion process[30][31].

Dec 6, 2025 – Coupang revises its public notice to label the incident a “data breach” after a government request and reports that police have found no secondary damage from the leaked data[28].

Dec 7‑8, 2025 – A U.S. class‑action lawsuit is filed in Seattle, seeking punitive damages for the same 33.7 million‑customer breach[27].

Dec 8, 2025 – Korea’s Fair Trade Commission (FTC) opens a probe into Coupang’s account‑deletion flow and terms of service, citing consumer‑protection concerns tied to the breach[26].

Dec 9, 2025 – Police raid Coupang’s Songpa headquarters for the first time, seizing internal documents related to the breach that affected roughly 34 million people[25].

Dec 10, 2025 – A second day of raids targets the same headquarters, focusing on the IP address used in the breach and a Chinese‑national suspect identified in the warrant[24].

Dec 14, 2025 – Founder Kim Bom‑suk announces he will skip a parliamentary hearing on the data breach, citing global‑CEO duties, while former Korean unit CEOs also refuse to appear[22].

Dec 16, 2025 – A National Assembly committee decides to file a complaint against Kim Bom‑suk for missing two audit hearings, intensifying legislative pressure on Coupang’s leadership[21].

Dec 17, 2025 – Interim CEO Harold Rogers apologizes at a National Assembly hearing, pledges a compensation package, and explains the SEC filing of the breach for U.S. investors[20].

Dec 20, 2025 – The Korea Consumer Agency orders SK Telecom to pay per‑user compensation after its own massive data leak, providing a benchmark for penalties in the sector[19].

Dec 24, 2025 – Former Trump national‑security adviser Michael O’Brien denounces the South Korean parliament’s scrutiny of Coupang, warning it could trigger discriminatory regulation against U.S. tech firms[4].

Dec 29, 2025 – Coupang unveils a 1.69 trillion‑won compensation plan, issuing 50,000‑won vouchers to each of the 33.7 million affected users, and founder Kim Bom issues a public apology[17][2].

Dec 30, 2025 – Science Minister Bae Kyung‑hoon reiterates that more than 33 million customers were affected, calling the breach “extremely malicious” and criticizing Coupang’s uncoordinated announcements[16].

Dec 31, 2025 – The Science Ministry condemns Coupang’s lack of cooperation in the joint probe and the National Assembly moves to file a perjury complaint against interim CEO Rogers; consumer groups label the voucher‑based compensation as promotional[14][15].

Jan 5, 2026 – Seoul police form an 86‑member task force to investigate 20 Coupang‑related cases, including data‑breach allegations, worker deaths, and alleged blacklisting[12]; the Financial Supervisory Service also launches a probe into high‑interest loans offered by Coupang Financial, citing rates up to 18.9 %[13].

Jan 7, 2026 – Prosecutors request cooperation from China and Interpol to arrest a former Chinese employee suspected of the leak; a Dec 8 arrest warrant had already been approved but Beijing has not responded[11].

Jan 12, 2026 – FTC chief Ju Byung‑gi warns that a temporary suspension of Coupang’s operations may be ordered if consumer relief is insufficient; the same day, interim CEO Rogers misses his first police summons, prompting a second summons and discussion of an exit ban[10][9].

Jan 18, 2026 – A senior Cheong Wa Dae official stresses that the data‑leak probe is a domestic matter, not a U.S.–Korea trade dispute, while U.S. lawmakers raise concerns about possible discriminatory enforcement against U.S. tech firms[8].

Jan 22, 2026 – U.S. investors Greenoaks and Altimeter notify the Korean government of intent to arbitrate under the Korea‑U.S. free‑trade agreement and ask the USTR to investigate “unreasonable” Korean actions, invoking Section 301 of the Trade Act[7].

Jan 23, 2026 – The same investors formally file arbitration claims and push Washington to examine Seoul’s conduct toward Coupang, alleging unprecedented regulatory pressure across multiple Korean agencies[6].

Jan 24, 2026 – Trade Minister Yeo Han‑koo meets USTR Jamieson Greer in Davos and later at Incheon Airport, urging that the Coupang data‑breach investigation be handled separately from broader Seoul‑Washington trade issues and emphasizing its non‑discriminatory nature[5].

Jan 26, 2026 – Seoul Metropolitan Police head Park Jeong‑bo estimates the breach affected over 30 million accounts, questions Coupang’s claim of only 3,000 compromised records, notes interim CEO Rogers has missed two summonses, and warns an arrest warrant could follow if he continues to ignore police orders[3].