Change your door lock code right now. Your home address has been exposed 150 million times.
Coupang failed to report a personal data breach by a former Chinese employee within the legally mandated timeframe last year, investigators revealed. The company also allowed critical evidence requested by authorities to be deleted, raising the possibility of a criminal investigation referral.
The joint public-private investigation team probing the Coupang breach announced Tuesday that "Coupang violated regulations requiring notification within 24 hours of detecting a security incident."
The former Chinese employee sent an email to Coupang on November 16 last year confessing to leaking information. This was not reported to the Chief Information Security Officer until 4 p.m. the following day. Under Article 48-3 of the Information and Communications Network Act, companies must notify the Ministry of Science and ICT or the Korea Internet & Security Agency within 24 hours of detecting a breach. However, Coupang did not file its report with KISA until 9:35 p.m. on November 19. This violation carries a fine of up to 30 million won.
Coupang also failed to comply with the government's data preservation order. At 10:34 p.m. on November 19, authorities ordered the company to preserve relevant records for incident analysis. However, Coupang did not adjust its automatic log retention policy, allowing approximately five months of web access records from July through November 2024 to be automatically deleted. App access logs from May 23 to June 2, 2025, were also erased. Concealing or destroying evidence constitutes obstruction of official duties.
"We have referred Coupang to investigative authorities regarding violations of the data preservation order," the investigation team stated. "We have instructed Coupang to submit preventive measures and detailed implementation plans, and will verify compliance in June or July."
Coupang maintained that "based on the attacker's statement, only 3,000 accounts were stored on the attacker's hard drive and that information has been deleted." The company added that it "has never denied the data breach and has notified 33.7 million affected users while providing compensation."