Law Firm Probes Coupang Over Data Breach Security Lapses
▼ Summary
– A US law firm is urging investors who suffered losses to join a class action lawsuit against Coupang following a major 2025 data breach affecting 33.7 million customers.
– South Korean police raided Coupang’s headquarters in Seoul as part of their investigation into the data breach.
– Coupang’s CEO resigned the day after the police raid and was replaced by the company’s chief administrative officer.
– South Korea’s privacy regulator ordered Coupang to remove a clause from its terms of service that illegally disclaimed responsibility for the data breach.
– The law firm alleges the breach caused Coupang to establish a $1.2bn compensation plan and lose over $8bn in market value.
Investors who experienced significant financial harm following a major cyber-attack on Coupang are now being called to participate in a class action lawsuit. The legal action, spearheaded by the U.S. firm Hagens Berman, alleges that security failures by the e-commerce giant led to substantial losses. Coupang, often compared to Amazon, is a U.S.-incorporated company listed on the New York Stock Exchange and operates as South Korea’s dominant online retail platform.
The company’s information technology infrastructure was compromised in June 2025. By early December, Coupang acknowledged that the personal data of 33.7 million customers might have been accessed by unauthorized parties. The potentially exposed information includes full names, email addresses, and telephone numbers. This incident represents one of the most significant data breaches in the region’s history.
South Korean authorities have taken decisive action in response. The Seoul Metropolitan Police Agency conducted a raid on Coupang’s headquarters, seizing internal documents and records connected to the security incident. The very next day, the company’s CEO, Park Dae-Joon, resigned from his position. His successor is Harold Rogers, the firm’s current chief administrative officer and general counsel, who is based in Seattle.
Further scrutiny came from South Korea’s primary data privacy watchdog, the Personal Information Protection Commission (PIPC). The regulator discovered that Coupang had quietly amended its terms of service in November, inserting a new provision. This clause attempted to disclaim responsibility for any damages resulting from unauthorized third-party access to its systems. The PIPC determined this move violated the nation’s Personal Information Protection Act, as it improperly obscured the company’s legal accountability, especially in instances of negligence or intentional misconduct. The commission issued a direct order for Coupang to remove the disputed clause immediately.
Additionally, the PIPC mandated that the retailer form a dedicated task force. This team’s primary objective is to address and lessen any further potential harm to the millions of users impacted by the data exposure.
The class action lawsuit intends to highlight these alleged security lapses. In a formal statement released on January 23, 2026, Hagens Berman Sobol Shapiro LLP outlined the severe consequences of the breach. The firm cited a $1.2 billion compensation plan announced by Coupang and pointed to a staggering loss of over $8 billion in market value for the company, directly linking this financial erosion to the cyber-attack and its aftermath.
(Source: InfoSecurity Magazine)