Regulator Orders Coupang to Delete Unverified Leak Findings, FTC Mulls Suspension

Updated 2026-01-14 10:46:50+00:00 (50 articles)

Regulator Demands Deletion of Unverified Probe Results The Personal Information Protection Commission (PIPC) formally instructed Coupang to remove the results of its independent data‑leak investigation, labeling the information unverified and potentially misleading to the public. The commission warned that retaining or publishing the findings could be interpreted as obstructing the official inquiry and may attract penalties. Coupang’s internal report claimed a former employee accessed data of 33.7 million users but saved only about 3,000 records before deletion [1].

Coupang’s Internal Probe Quantifies Breach Scope The company’s December 25 internal audit identified a former employee who extracted personal details—including names, phone numbers and delivery addresses—from roughly 33.7 million customer accounts. Approximately 3,000 of those records were temporarily retained and subsequently erased, a figure cited by both the regulator and the FTC chief. The probe’s conclusions remain contested, with the science ministry describing them as one‑sided and incomplete [1][2].

FTC Chief Warns of Possible Temporary Suspension On January 12, FTC chairman Ju Byung‑gi told a radio program that Coupang could face a temporary suspension of its operations if adequate consumer relief is not provided or if enforcement orders are deemed insufficient. The FTC is also examining broader issues such as Coupang’s overall business practices and alleged shifting of low‑price sale losses onto partner suppliers. This signals a willingness to employ strong enforcement tools as the data‑breach investigation proceeds [2].

Authorities Push for User‑Facing Breach Lookup Tool In addition to demanding the removal of the probe report, the PIPC recommended that Coupang embed a simple verification feature within its mobile app and website, allowing users to check whether their personal information was compromised. The regulator believes such a tool would reduce confusion and improve transparency while the formal investigation continues [1].

Sources (2 articles)

Timeline

Jun 24, 2025 – Unauthorized access to delivery‑related personal data begins on overseas servers, later identified as the start of the breach that will affect tens of millions of users[38].

Nov 18, 2025 – Coupang discovers the breach and reports only 4,500 compromised accounts to authorities within two days, later realizing the intrusion started months earlier[37].

Nov 29‑30, 2025 – Coupang publicly confirms that personal information of 33.7 million customers (names, phone numbers, emails, delivery addresses) was exposed, while payment data remains intact; the company apologises and pledges stronger security[39][38].

Dec 1, 2025 – The company’s disclosure triggers discussion of potential fines up to 3 % of revenue, citing SK Telecom’s record 134.8 billion‑won penalty for a 23.2 million‑user leak as precedent[33].

Dec 2, 2025 – President Lee Jae Myung calls for a rapid investigation and tougher penalties, stressing the need to protect public trust after the massive data leak[30].

Dec 7‑8, 2025 – Coupang’s U.S. headquarters in Seattle faces a class‑action lawsuit in both South Korea and the United States, highlighting the cross‑border legal fallout of the breach[27].

Dec 8, 2025 – The presidential office urges swift safeguards against secondary damage, warning that leaked data could fuel scams; the Fair Trade Commission (FTC) launches a probe into Coupang’s account‑deletion flow and terms of service, citing the breach as a catalyst[26][25].

Dec 9, 2025 – Seoul Metropolitan Police raid Coupang’s headquarters to seize internal documents and trace the IP address used in the breach, marking the first major law‑enforcement action[23].

Dec 10, 2025 – CEO Park Dae‑jun resigns, accepting full responsibility; Harold Rogers is named interim CEO to steer the crisis response and restore customer trust[22].

Dec 14, 2025 – Founder Kim Bom‑suk announces he will skip the parliamentary hearing on the breach, citing overseas commitments; other senior executives also refuse to appear[21].

Dec 16, 2025 – A National Assembly committee files a formal complaint against Kim Bom‑suk for failing to attend earlier audits, underscoring parliamentary pressure on Coupang’s leadership[20].

Dec 25, 2025 – The presidential office convenes an emergency meeting (chaired by Chief of Staff Kim Yong‑beom) with science and security ministers to coordinate the response and review Coupang’s lobbying activities[19].

Dec 25, 2025 – Coupang revises its internal findings, stating that only ≈3,000 customers’ data were actually saved and later deleted, and that no information was shared externally; the claim sparks dispute from the government’s joint probe[15][16].

Dec 26, 2025 – Police intensify forensic analysis of the suspect’s laptop, verifying ownership and probing possible data tampering, while confirming the recovered data pertained to about 3,000 customers[14].

Dec 28, 2025 – Founder Kim Bom‑suk issues a written apology for the breach that affected roughly 34 million users, admitting the delay was a mistake and acknowledging the hacker’s confession[11].

Dec 29, 2025 – The National Assembly schedules a two‑day hearing with six committees; the opposition People Power Party boycotts, and 13 current/former Coupang executives submit statements saying they will not attend[9].

Dec 29, 2025 – Police allege Coupang withheld its internal laptop analysis, warning that the company could be held accountable for any evidence manipulation[10].

Dec 30, 2025 – Science Minister Bae Kyung‑hoon reaffirms that a joint government‑private probe found 33 million users’ names and emails leaked, rejecting Coupang’s claim of only 3,000 affected accounts and emphasizing that addresses and order details were also exposed[6][8].

Dec 31, 2025 – The government issues a joint statement vowing to use “all legal measures” against Coupang, criticising its “lukewarm” explanation and noting that the Fair Trade Commission may consider suspending operations; Parliament files complaints against seven Coupang officials[4].

Jan 12, 2026 – FTC Chairman Ju Byung‑gi tells a radio program that a temporary suspension of Coupang’s business could be ordered if consumer relief is insufficient, signalling the regulator’s willingness to use enforcement tools amid the ongoing breach probe[3].

Jan 14, 2026 – The Personal Information Protection Commission urges Coupang to delete its unverified independent probe results, warning that the information could confuse the public and that the company’s delays in submitting documents may constitute obstruction[2].