Coupang’s breach story has unfolded in waves: first as a massive compromise affecting nearly the entire domestic customer base, then as a dispute about what the public was told versus what investigators could verify, and most recently as a cross-border conflict involving U.S. investors, Washington trade pressure, and securities litigation in U.S. courts.

What makes this case structurally different from a “normal” breach is that investigators and regulators have treated communications and corporate process as part of the alleged failure—not only the technical intrusion. That’s why the scandal persists even as day-to-day virality cools: the file is now anchored in official findings, police accountability, and international legal mechanisms rather than social-media momentum.

What happened (recap of the core incident)

Scale: “almost everyone”

A joint public-private probe led by South Korea’s science ministry confirmed exposure of over 33.6 million accounts, with Korean reporting framing the confirmed leaked records as roughly 33.67 million—numbers that effectively map to Coupang’s Korean user base.

Nature of data: not just identifiers

Investigators said the breach extended beyond basic customer details to include highly sensitive operational data such as delivery addresses, shared building entry passwords, recent order histories, and even personal information related to users’ acquaintances—details that shift perceived risk from “spam/phishing” to real-world misuse.

Technical framing: an authentication weakness enabling abnormal access

South Korea’s Ministry of Science and ICT (MSIT) described preliminary findings as an attacker exploiting an authentication vulnerability that enabled access without normal login procedures, exposing names, emails, phone numbers, and delivery addresses, and prompting the activation of a Joint Public-Private Investigation Team on Nov. 30, 2025.

Why this became a governance crisis (not only a security incident)

1) Regulators pushed back on Coupang’s public narrative

In mid-January, Korea’s privacy regulator (PIPC) publicly told Coupang to stop posting unverified “self-investigation” findings, warning that unconfirmed statements could mislead users and undermine the official investigation. This is a pivotal escalation: it turns breach response into a scrutiny of information integrity and disclosure discipline.

2) The “what did leadership say under oath?” dimension kept the story alive

Police investigations expanded beyond incident response into alleged wrongdoing around testimony. Coupang’s interim CEO Harold Rogers underwent lengthy questioning over perjury allegations tied to parliamentary testimony about the breach. That policing track creates recurring headline spikes independent of the technical probe’s tempo.

3) Government findings framed it as “management failure,” not inevitability

Korean reporting on the joint probe emphasized the breach as a management failure, a framing that increases penalty and reputational exposure because it implies preventability and governance deficits, not merely sophisticated attackers.

Timeline: the case in phases (from late 2025 to Feb. 18, 2026)

Phase 1 — Disclosure shock and mobilization (Nov.–Dec. 2025)

• Nov. 30, 2025: MSIT activates a Joint Public-Private Investigation Team as the incident becomes public and government response begins.
• Late Dec. 2025: MSIT publicly rebukes Coupang over unilateral disclosure of “investigation results” not verified by the joint probe (an early signal of the “narrative vs verification” conflict).

Phase 2 — Communications become an enforcement issue (Jan. 2026)

• Jan. 14, 2026: PIPC tells Coupang to stop publishing unconfirmed internal findings, explicitly warning about misleading users and undermining the official probe.
• Jan. 2026: Broader PIPC scrutiny expands to other allegations beyond the breach (illustrating how a flagship incident can widen into a “platform governance” audit).

Phase 3 — Accountability intensifies and scope solidifies (Feb. 2026)

• Feb. 5: Coupang says an additional 165,000 users’ data was leaked (within the same breach context), reinforcing that scope verification is iterative and still politically combustible.
• Feb. 7: Rogers undergoes ~14 hours of police questioning over perjury allegations.
• Feb. 10: Joint probe confirms ~33.6 million accounts exposed; separate Korean reporting states ~33.67 million records.
• Feb. 10: Investigators disclose that data exposed included delivery addresses, entry passwords, and order histories.
• Feb. 18 (today): CPNG trades around $17.87 (intraday), reflecting ongoing risk premium and headline sensitivity.

What investigators say the attacker did (and why it matters)

The significance isn’t only record count; it’s the implied attack surface design:

• Delivery address data increases fraud and stalking risk (especially when linked to phone numbers and names).
• Shared building entry passwords elevate physical safety concerns in a high-density housing context—this detail was a narrative accelerant in Korean coverage.
• Order history access creates profiling risk (household routines, delivery timing, consumption patterns).

MSIT’s English briefing emphasizes the mechanism: an authentication vulnerability allowing access without normal login—suggesting the investigation focus includes identity/auth controls and monitoring thresholds, not just perimeter defense.

Korea enforcement and legal exposure: what’s actually at stake

PIPC: privacy law compliance and breach communications

PIPC’s public instruction to stop unverified disclosures signals heightened scrutiny of whether Coupang met obligations around truthful, verified communication during an active probe—not only whether safeguards existed.

Police: perjury allegations add a criminal-risk layer

The interim CEO’s repeated questioning over alleged perjury keeps leadership credibility on the table. Even absent charges, the existence of a police track raises reputational cost and extends news half-life.

The U.S. side: securities litigation, investor-state arbitration, and trade pressure

1) Securities class actions against Coupang (U.S. courts)

A securities class action styled Barry v. Coupang, Inc., et al., No. 5:25-cv-10795 (N.D. Cal.) has been widely reported, alleging investors were misled about cybersecurity risks and/or timely disclosure.

A separate plaintiffs’ announcement (Hausfeld) states it filed a complaint expanding the class period and allegations relative to Barry.

Why this matters: even if Korea enforcement ends with an administrative resolution, U.S. securities claims can extend for years and keep CPNG trading with a litigation overhang.

2) Investor–state dispute path under KORUS FTA (ISDS posture)

U.S. investors have escalated beyond standard investor PR into trade-law mechanisms: reporting says they filed a petition with the U.S. Trade Representative (USTR) alleging discriminatory treatment and submitted notice of intent to initiate ISDS arbitration under KORUS.

UPI reports additional U.S. investment firms joined that arbitration push, widening the coalition.

3) Trade leverage enters the frame (Washington → Seoul)

The Wall Street Journal reported the Trump administration warned South Korea against measures perceived as discriminatory toward U.S. tech firms, explicitly referencing Coupang amid trade escalation and tariff threats—moving the story from “a Korean regulatory matter” into bilateral economic leverage.

What’s still unknown (and what to watch next)

Even with major findings published, several high-impact questions remain unresolved publicly:

1. Final penalty package and corrective orders: PIPC’s investigation posture is clear, but final sanctions/corrective orders are still the key “closure event” for Korea’s enforcement cycle.
2. Police outcomes: whether the perjury inquiry leads to charges, referrals, or closure will materially affect reputational recovery.
3. Trade/tariff follow-through: the U.S. warning creates a diplomatic ceiling risk—watch for explicit USTR actions or formal arbitration filings (beyond notices).
4. U.S. litigation milestones: motions to dismiss/class certification schedules (often months out) will matter for investor sentiment.

Bottom line

Coupang’s breach story persists because it isn’t one story anymore:

• In Korea, it’s become a test of platform governance: verified scope, disclosure discipline, and leadership accountability.
• In the U.S., it’s now an investor-risk stack: securities class actions, investor–state dispute tactics, and trade-policy signaling that can reprice the stock on headlines.