Coupang CEO Resigns After 33.7 Million-User Data Breach

South Korea’s largest e-commerce company, Coupang, is facing one of the most serious corporate crises in its history after a massive data breach involving 33.7 million users triggered police raids, political scrutiny, and the resignation of its chief executive officer.

What began as a seemingly limited cybersecurity incident has rapidly escalated into a nationwide debate on corporate transparency, data governance, and the obligations of technology platforms that now serve as essential infrastructure for daily life.

From Minor Incident to Massive Exposure

Coupang first informed South Korean regulators on November 20 that a data exposure had occurred, initially estimating that around 4,500 user accounts were affected. Within days, that assessment proved dramatically inaccurate.

On November 29, the company revised its disclosure, admitting that personal information belonging to approximately 33.7 million users—nearly its entire domestic customer base—had been compromised. The sharp jump transformed the episode into one of South Korea’s largest known data breaches.

The exposed data reportedly included names, mobile numbers, email addresses, and delivery locations. While Coupang stated that passwords and payment information were not accessed, cybersecurity experts cautioned that even basic personal data can be weaponised for phishing, identity fraud, and long-term social engineering attacks.

Police Raids and Rising Political Pressure

As public concern intensified, law enforcement agencies moved quickly. Police conducted consecutive raids at Coupang’s Seoul headquarters as part of an expanding investigation into how the breach occurred and whether the company complied with mandatory reporting and security obligations under Korean law.

The issue soon reached the highest levels of government. The presidential office publicly urged Coupang to clarify its consumer compensation plan, signalling that the breach had become a matter of national concern rather than a private corporate failure.

Regulators are now examining whether internal controls, incident escalation protocols, and disclosure timelines were adequate—issues that often surface during professional auditing services in India and globally when companies assess cyber risk governance after major incidents.

CEO Exit Signals Accountability—but Questions Remain

Amid mounting scrutiny, Coupang announced the resignation of CEO Park Dae-jun. The company framed the move as a step toward accountability following the breach disclosures.

Harold Rogers, chief administrative officer and general counsel of Coupang’s U.S.-listed parent company, has been appointed interim CEO. The parent entity stated it would take a more direct role in managing regulatory engagement, customer response, and internal reforms.

The leadership change has also highlighted the complexity of Coupang’s cross-border corporate structure—operating primarily in South Korea while being overseen by a U.S.-based parent—raising questions about jurisdictional responsibility during crises.

Trust, Disclosure, and the Cost of Delay

Beyond the investigation itself, the Coupang incident has reignited a broader debate in South Korea over how quickly companies must disclose cyber breaches and how reliable early disclosures should be.

Consumer advocates have criticised the gap between the initial report of 4,500 affected users and the later figure of 33.7 million, arguing that delayed or incomplete information deprives users of the chance to take timely protective measures.

For Coupang, the challenge now extends beyond legal compliance. Restoring trust among millions of users - who now know that much of their personal shopping data was exposed - may prove far more difficult than navigating regulatory penalties.