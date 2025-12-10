The company’s chief executive, Park Dae-jun, has left his position after the e-commerce giant revealed a sprawling data breach that is said to have ultimately affected about 34 million people in total — around 66 percent of South Korea’s population. In a statement, Park apologized and took responsibility as the company announced it was replacing him with Harold Rogers, formerly the top lawyer at Coupang’s United States-based parent.

Leadership Shake-Up at Coupang Highlights Compliance Focus

The promotion of Rogers, who is a well-regarded general counsel, suggests that the shift toward legal risk management and regulatory compliance is as important as continuing to recover.

For a logistics-laden platform likened to Amazon for its next-day “Rocket” delivery and dominant market share, the decision underscores that the crisis is now about more than IT, raising questions of governance, disclosure, and customer trust.

Boards, in the aftermath of a breach, tend to rely on legal leaders to ensure more granular reporting, shore up their incident response playbooks, and work hand-in-hand with regulators around the globe. Coupang, a U.S.-listed company, is confronted through the prism of two sets of authorities: South Korean privacy regulators at home and securities oversight abroad — adding urgency to the company’s response plans for the crisis and efforts to fix things with its consumers.

What We Know About the Breach and Its Reported Scope

Coupang had previously said that the intrusion happened in June but was not discovered until November, a lag time that is likely to face scrutiny from investigators looking at dwell time and early-warning controls. Initial company estimates that fewer than 5,000 customers were affected later ballooned to nearly 34 million after further forensics — a trend we see frequently where initial visibility is low and expands as additional logs are reconstructed and third-party systems are evaluated.

The company has broadly described the leaked data as personal information, which often means identifying and contact information. KISA and PIPC, on an ongoing basis, assess whether leaked information could be used maliciously to defraud or conduct smishing or account takeover, as well as whether personal information was encrypted, tokenized, or pseudonymized at the time of the incident.

Regulatory Scrutiny and Potential Penalties Facing Coupang

South Korea’s PIPC is empowered to issue corrective orders and administrative surcharges for breaches of privacy, with penalties tiered based on the severity of the breach and a company’s security measures. Guidance from the commission says that surcharges can be as high as 3 percent of related revenue for certain misdeeds, along with a possible criminal referral in egregious cases. KISA usually handles technical investigations and victim assistance, while the National Police Agency could exercise jurisdiction over criminal actors if attribution is possible.

Like all U.S.-listed companies, Coupang also needs to take steps to make sure it can accurately and promptly inform investors about its cyber risks and material incidents. Enforcement in both markets is increasingly focused on board oversight, documented security controls, and measurable progress on remediation — places where a legally minded CEO can rush through the alignment process.

Security Failures and Reforms Being Implemented

Major retailers have found — often the hard way — that perimeter defenses just don’t cut it. Investigators will closely scrutinize identity and access management, multi-factor enforcement for privileged accounts, segmentation between customer data and operations systems, as well as continuous monitoring that can surface anomalies earlier. The ISMS-P framework in South Korea, which is governed by KISA and PIPC, has a solid foundation in place; the question is whether their controls worked over time and whether there were detection gaps between cloud and on-premises environments.

In parallel cases internationally, organizations have moved fast to make essential adjustments: the expedited rotation of credentials, extra endpoint detection and response tools purchased and installed more broadly, zero-trust network policies tightened or initiated, vendor access further restricted, logging made immutable. Independent audits and red-team assessments typically follow, and progress is reported to regulators — and increasingly, the public — to rebuild confidence.

A Breach and National-Scale Repercussions

The digital economy in South Korea is hyperconnected: E-commerce, superapps, and real-time logistics have been woven into the daily rhythms of life. Add to that dependence on each other — and the ripple effects are magnified when a platform as big as Coupang gets breached. The episode extends a streak of high-profile incidents in the country — from the Interpark hack that compromised tens of millions of records to a fire at a government data center that wiped out crucial information — while reminding leaders that resilience encompasses not only technology but also facilities and human processes.

KISA has been sounding the alarm for years in its annual reporting that e-commerce platforms are prime targets because they have rich identity information and often share accounts across services. The lesson has all the familiarity of a broken record — identity defense needs to be treated as a core product feature, not a back-office provision.

What Consumers Should Do Now to Protect Their Accounts

If you reused passwords, reset your Coupang password; you may receive SMS messages confirming the breach when logging in.

Watch for delivery or refund smishing and phishing attempts.

Consider credit alerts from NICE and KCB, and seek incident advice via KISA’s 118 hotline.

If offered, sign up for identity monitoring services provided by the company.

For Coupang, the way forward is straightforward but challenging: regular communication with customers and regulators, credible security updates, and consistent follow-up. A new leader can set the tone. The degree to which trust can be restored will depend on those details — and, ultimately, on showing that this breach is what turns the tide for a safer, more resilient platform.