News
Below are the statements Coupang published related to the recent cybersecurity incident.
—————————————————————————————–
Originally posted on Dec 29, 2025 09:50 in KST:
Coupang Announces Compensation Plan to Restore Customer Trust… Issuing 1.685 Trillion Won Worth of Purchase Vouchers
– Compensation plan implemented for all 33.7 million customers… To be provided sequentially starting January 15, next year
– Equivalent to 50,000 won per person… Purchase vouchers for all Coupang products and for Coupang Eats, Travel, and R.LUX
– Practicing ‘customer-centric principles’… We will transform into a company trusted by customers.
Fully acknowledging its responsibility for the recent personal information leak incident, Coupang announced on the 29th that it plans to implement a 1.685 trillion won customer compensation plan to restore customer trust.
Harold Rogers, Coupang Corp.’s interim CEO, stated, “All Coupang executives and employees deeply regret the significant concern and distress the recent personal data leak has caused our customers,” adding, “We have prepared a compensation plan as part of taking responsible action for our customers.”
Coupang plans to distribute purchase vouchers worth around 1.685 trillion won to customers starting January 15 next year. The plan applies to 33.7 million customer accounts who were notified of the personal information leak at the end of last November. Purchase vouchers will be provided equally to both WOW and non-WOW members. It also includes Coupang customers who had canceled their membership and were notified of the personal data leak. The company plans to sequentially notify its 33.7 million customer accounts via text message about the use of the purchase vouchers.
Coupang will provide each customer with four single-use purchase vouchers totaling 50,000 won: all Coupang products including Rocket Delivery, Rocket Overseas, Seller Rocket, and Marketplace (5,000 won), Coupang Eats (5,000 won), Coupang Travel products (20,000 won), and R.LUX products (20,000 won).
Customers can check the purchase vouchers sequentially on the Coupang app starting January 15 and apply them when purchasing products. More specific details are scheduled to be released in a separate announcement.
Harold Rogers, Coupang Corp.’s interim CEO, stated, “Taking this incident as a turning point, Coupang will wholeheartedly embrace ‘customer-centric principles’ and fulfill its responsibilities to the very end, transforming into a company that customers can trust,” adding, “We once again deeply apologize to our customers.”
—————————————————————————————–
Originally posted on Dec 26, 2025 15:00 in KST:
Coupang’s investigation was not a “self investigation.” It was an investigation coordinated on a daily basis, under the express direction of government, over a period of several weeks.
This data leak incident has caused great concern to the public and the continued misstatements that Coupang was conducting an investigation without governmental oversight are creating false insecurity. We would like to clarify facts of our coordination process with the government.
On December 1, the government approached Coupang and asked for full cooperation.
On the 2nd, Coupang received an official, written letter with regard to the incident from the government. On an almost daily basis for the next several weeks, Coupang worked with the government to locate, contact, and communicate with the leaker. At the direction of the government, Coupang secured the leaker’s full confession, recovered all devices used in connection with the leak, and received critical details about Coupang user information. As soon as Coupang received new facts, sworn testimony, or physical materials from the leaker, Coupang turned them over to the government immediately.
On the 9th, the government suggested that Coupang contact the leaker. Coupang worked with the government on messaging and word choice in its communications. Following this, Coupang met the leaker initially on the 14th and reported this to the government. On the 16th, we completed the primary retrieval of the leaker’s desktop and hard drives as directed by the government, which was then reported. On the 17th, we provided them to the government. Coupang understands that after it delivered the hard drive to the government, the government began an immediate review. The government then requested that we recover additional devices from the leaker.
On the 18th, Coupang recovered the leaker’s MacBook Air laptop from a nearby river. Coupang used a forensics team to document and take inventory and then immediately handed the laptop over to the government. On December 21 the government let Coupang to deliver the hard drives, laptop, and all three sworn and fingerprinted declarations to the police. At all times Coupang obeyed the government’s order to keep the operation confidential and not disclose any details, even while governmental agencies, the National Assembly, and parts of the media falsely accused Coupang of failing to seriously address the leak.
On the 23rd, at the government’s request we provided additional briefing about the details of the investigation including details about Coupang’s cooperation with the government. Subsequently, on the 25th, we notified Coupang customers of the investigation status.
Coupang will fully cooperate with the ongoing government investigation and take all necessary measures to prevent any secondary harm.
—————————————————————————————–
Originally posted on Dec 25, 2025 15:35 in KST:
Coupang confirmed that the perpetrator has been identified, and that all devices used in the data leak have been retrieved. The investigation to date indicates that the perpetrator retained limited user data from only 3,000 accounts and subsequently deleted the user data.
Based on the investigation to date:
- The perpetrator accessed 33 million accounts, but only retained user data from approximately 3,000 accounts. The perpetrator subsequently deleted the user data.
- The user data included only 2,609 building entrance codes. No payment data, log-in data or individual customs numbers
- The perpetrator never transferred any of the data to others
We know the recent data leak has caused concern among our customers, and we apologize for the anxiety and inconvenience. Everyone at Coupang and the government authorities has been working tirelessly together to address this critical issue, and we are now providing an important update.
Coupang used digital fingerprints and other forensic evidence to identify the former employee who leaked user data. The perpetrator confessed everything and revealed precise details about how he accessed user data.
All devices and hard drives the perpetrator used to leak Coupang user data have been retrieved and secured following verified procedures. Starting from the submission of the perpetrator’s declaration to government officials on December 17, Coupang has been submitting all devices including hard drives to government officials as soon as we received them. Coupang has also been cooperating fully with all relevant ongoing government investigations.
From the beginning, Coupang commissioned three top global cybersecurity firms—Mandiant, Palo Alto Networks, and Ernst & Young—to perform rigorous forensic investigation.
The investigative findings to date are consistent with the perpetrator’s sworn statements: (i) that he accessed basic user data from 33 million customer accounts using a stolen security key, (ii) that he only retained user data from roughly 3,000 total accounts (name, email, phone number, address and part of order histories), (iii) that from the roughly 3,000 accounts, he only retained 2,609 building entrance access codes, (iv) that he deleted all stored data after seeing news reports of the leak, and (v) that none of the user data was ever transmitted to others.
- Perpetrator accessed basic user data using a stolen security key. The perpetrator stated that he was able to access limited user data—including names, emails, addresses, phone numbers—by stealing an internal security key that he took while still working at the company. Data logs and forensic investigation had already confirmed that the access was carried out using a stolen internal security key and included only the types of data the perpetrator specified (e.g., names, emails, addresses, phone numbers). He did not access any payment data, log-in data, or individual customs numbers.
- Perpetrator gained very limited access to order history and building entrance codes. The perpetrator stated that while accessing basic data relating to a large number of customers, he only ever accessed the order history and building entrance codes for roughly 3,000 accounts. Independent forensic analysis of data logs had already determined that the number of building entrance codes for only 2,609 were ever accessed, just as the perpetrator reported.
- Perpetrator used a desktop PC and MacBook Air laptop for the attack. The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data. Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described. The perpetrator relinquished the PC system and four hard drives used on the PC system, on which analysts found the script used to carry out the attack.
- Perpetrator sought to erase and dispose of the MacBook Air laptop in a river. The perpetrator stated that when news outlets reported on the data leak he panicked and sought to conceal and destroy the evidence. Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river. Using maps and descriptions provided by the perpetrator, divers recovered the MacBook Air laptop from the river. It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account.
- Perpetrator retained a very small amount of user data, never transferred any of the data, and subsequently deleted all the stored user data. The perpetrator stated that he worked alone, that he only retained a small amount of user data from roughly 3,000 accounts, that the user data was only ever stored on his personal desktop PC and MacBook Air laptop, that none of that user data was ever transmitted to a third party, and that he deleted the stored data immediately after seeing news reports of the leak. The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements.
We will provide updates following the investigation and plan to separately announce compensation plans to our customers in the near future.
Coupang remains fully committed to protecting customer data. We will cooperate fully with the government’s investigation, take all necessary steps to prevent further harm, and strengthen our measures to prevent recurrence.
Coupang regrets the concern this incident has caused and apologizes to those affected.
Marcus on AI, – December 20, 2025
2025 turned out pretty much as I anticipated. What comes next?
AGI didn’t materialize (contra predictions from Elon Musk and others); GPT-5 was underwhelming, and didn’t solve hallucinations. LLMs still aren’t reliable; the economics look dubious. Few AI companies aside from Nvidia are making a profit, and nobody has much of a technical moat. OpenAI has lost a lot of its lead. Many would agree we have reached a point of diminishing returns for scaling; faith in scaling as a route to AGI has dissipated. Neurosymbolic AI (a hybrid of neural networks and classical approaches) is starting to rise. No system solved more than 4 (or maybe any) of the Marcus-Brundage tasks. Despite all the hype, agents didn’t turn out to be reliable. Overall, by my count, sixteen of my seventeen “high confidence” predictions about 2025 proved to be correct.
Here are six or seven predictions for 2026; the first is a holdover from last year that no longer will surprise many people.
- We won’t get to AGI in 2026 (or 7). At this point I doubt many people would publicly disagree, but just a few months ago the world was rather different. Astonishing how much the vibe has shifted in just a few months, especially with people like Sutskever and Sutton coming out with their own concerns.
- Human domestic robots like Optimus and Figure will be all demo and very little product. Reviews by Joanna Stern and Marques Brownle of one early prototype were damning; there will be tons of lab demos but getting these robots to work in people’s homes will be very very hard, as Rodney Brooks has said many times.
- No country will take a decisive lead in the GenAI “race”.
- Work on new approaches such as world models and neurosymbolic will escalate.
- 2025 will be known as the year of the peak bubble, and also the moment at which Wall Street began to lose confidence in generative AI. Valuations may go up before they fall, but the Oracle craze early in September and what has happened since will in hindsight be seen as the beginning of the end.
- Backlash to Generative AI and radical deregulation will escalate. In the midterms, AI will be an election issue for first time. Trump may eventually distance himself from AI because of this backlash.
And lastly, the seventh: a metaprediction, which is a prediction about predictions. I don’t expect my predictions to be as on target this year as last, for a happy reason: across the field, the intellectual situation has gone from one that was stagnant (all LLMs all the time) and unrealistic (“AGI is nigh”) to one that is more fluid, more realistic, and more open-minded. If anything would lead to genuine progress, it would be that.
– December 9, 2025
On December 8th, 2025, Dr. Alexandre De Barros Barreto’s CYSE 587 class presented their shark tank seminar presentations! Each team presented for twenty minutes before a panel of sharks began to ask their questions.
It was an innovative and engaging night, full of discussion, collaboration, and problem solving. Thank you to all of the amazing sharks who came out, and to all of the presenters for their solutions to real world problems!
Please look at the overview post to view each team’s presentation and videos.
BOV Minutes from Dec. 4, 2025 meeting, – December 4, 2025
ITEM NUMBER:
PhD in Cybersecurity Degree Program Proposal
PURPOSE OF ITEM:
The PhD in Cybersecurity degree program proposal is under consideration by the State Council of Higher Education for Virginia (SCHEV) for initiation in Fall 2026. The degree program was originally entitled, “PhD in Cyber Security Engineering.” Board action is required to approve the revised name of the degree program.
APPROPRIATE COMMITTEE:
Academic Affairs Committee
BRIEF NARRATIVE:
On September 26, 2024, the Board of Visitors approved George Mason University’s proposal for a PhD degree program in Cyber Security Engineering. The proposal was submitted to SCHEV in August of 2025. Feedback from SCHEV staff included discussion of a name change to the proposal that would eliminate unnecessary confusion between the terms “cybersecurity” and “cyber security engineering.” Faculty determined that a name change would benefit the degree program. The revised name, “PhD in Cybersecurity,” must be approved by the Board of Visitors before consideration of the degree program can resume at SCHEV.
The proposed degree program is built upon the existing bachelor’s and master’s degree programs in Cyber Security Engineering offered by the Department of Cyber Security Engineering in the College of Engineering and Computing and will create a pathway for doctoral level research and training for students in these degree programs.
The proposed program will train students to solve the next generation of engineering and research problems, educate the future workforce, and lead government agencies and industries in the domain of cybersecurity. The proposed degree program responds to the escalating challenges of an increasingly interconnected and digitized world. The proposed degree program will prepare students for the growing faculty and researcher positions in academia, industry, and government on cyber security education and research. Establishing a PhD program in cybersecurity will address the shortage of experts, foster a robust research community in Virginia, and contribute to the evolution of cutting-edge technologies and methodologies in cybersecurity.
REVENUE IMPLICATIONS:
The program at launch will be revenue neutral. The required core courses will be offered by existing faculty, and the program does not require new laboratory or other facilities. It is anticipated that the program to be revenue enhancing as it reaches maturity.
STAFF RECOMMENDATION:
Staff recommends Board approval.
I. Basic Program Information
Institution (official name) Degree Program Designation Degree Program Name
CIP code
Anticipated Initiation Date Governing Board Approval Date (actual or anticipated)
George Mason University Doctor of Philosophy Cybersecurity
Fall 2026
Anticipated December 4, 2025
STATE COUNCIL OF HIGHER EDUCATION FOR VIRGINIA
Program Announcement Form
II. Curriculum Requirements. Address the following using appropriate bolded category headings:
- Core Coursework and total credit hours (include course descriptor/designator, name, and credit hour value). Indicate new courses with an asterisk.
- Sub Areas (e.g., concentrations, emphasis area, tracks) and total credit hours. Include brief description of focus/purpose of sub area and required courses.
- Additional requirements (e.g., internship, practicum, research, electives, thesis, dissertation) and total credit hours
- Total credit hours for the curriculum/degree program.
Core Courses: 18 credits
CYSE 700: Research Methodology and Pedagogy in Cybersecurity (3 credits) CYSE 710: Advanced Networks and Cybersecurity (3 credits)*
CYSE 757: Cyber Law (3 credits)*
CYSE 780: Advanced Hardware and Cyber-Physical Systems Security (3 credits)* CYSE 788: Advanced Systems Engineering for Cybersecurity (3 credits)*
CYSE 789: Advanced Artificial Intelligence Methods for Cybersecurity (3 credits)*
Restricted Electives: 30 credits
Students select 6 credits from the following courses.
CYSE 760: Human Factors in Cyber Security (3 credits)* CYSE 770: Fundamentals of Operating Systems (3 credits)* ECE 646: Applied Cryptography (3 credits)
Students select 24 credits from a list of courses.
CS 530: Mathematical Foundations of Computer Science (3 credits)
CS 583: Analysis of Algorithms (3 credits)
CYSE 640: Wireless Network Security (3 credits)
CYSE 650: Topics in Cyber Security Engineering (3 credits)
CYSE 698: Independent Study and Research (3 credits)
CYSE 750: Advanced Topics in Cyber Security Engineering (3 credits) CYSE 765: Quantum Information Processing and Security (3 credits)* CYSE 785: Advanced Unmanned Aerial Systems Security (3 credits) ISA 764: Security Experimentation (3 credits)
ISA 862: Models for Computer Security (3 credits)
ISA 863: Advanced Topics in Computer Security (3 credits)
OR 719: Graphical Models for Inference and Decision Making (3 credits)
Program Announcement Form Page 1
Research Requirement: 12 credits
CYSE 998: Doctoral Dissertation Proposal (3-12 credits)*
Dissertation Requirement: 12 credits
CYSE 999: Doctoral Dissertation (1-12 credits)*
Total: 72 credit hours
III. Description of Educational Outcomes. Use bullets to list outcomes. (max. 250 words)
Students will learn to
• Apply foundational knowledge of cybersecurity to engineering applications.
• Analyze cyber-physical systems, networks, software, and hardware for vulnerabilities
to various attack scenarios.
• Integrate security fundamentals in building secure and resilient cyber infrastructure,
including large-scale cyber-physical systems and networks.
• Apply quantitative and qualitative methods to cybersecurity.
• Construct approaches for predicting, detecting, and responding to cyber threats
utilizing artificial intelligence.
• Evaluate the principles of cyber law and how they impact cybersecurity occurrences. • Design curriculum and pedagogical experiences for training the next generation of
cyber security engineers.
• Lead innovative research that contributes to the cyber security engineering knowledge
base.
IV. Description of Workplace Competencies/Skills. Use bullets to list outcomes. (max. 250 words)
V. Duplication. Provide information for each existing degree program at a Virginia public institution at the same degree level. Use SCHEV’s degree/certificate inventory and institutions’ websites.
Institution Program degree designation, name, and Degrees granted (most
CIP code recent 5-yr average)
*ODU is currently developing a stand-alone PhD degree program in Cybersecurity.
Graduate will be able to
- Conduct fundamental research to push the frontiers of cybersecurity defense andmitigation techniques.
- Train and educate undergraduate and graduate students and the population in computersecurity fundamentals.
- Analyze cyber security problems in critical infrastructure and design effective solutions.
Old Dominion University* | Doctor of Engineering (DEng)/Doctor of Philosophy (PhD) in Engineering, concentration in Cybersecurity, CIP code: 140101 | 31 (unable to aggregate by concentration) |
Program Announcement Form Page 2
VI. Labor Market Information. Fill in the tables below with relevant information from the Bureau of Labor Statistics (BLS) and Virginia Employment Commission (VEC). Insert correct years (2023 and 2033) to reflect the most recent 10-year projections. Add rows as necessary.
Labor Market Information: Bureau of Labor Statistics, 2022 -2032 (10-Yr)
Occupation Base Year Projected Total % Change Typical Entry Employment Employment and #s Level Education
Computer science teachers, postsecondary | 42000 | 44300 | 5.3 | Doctoral or professional degree |
Engineering teachers, postsecondary | 45500 | 49700 | 9.3 | Doctoral or professional degree |
Computer and Information Research Scientists | 36500 | 44800 | 22.7 | Master’s Degree |
Labor Market Information: Virginia Employment Commission, 2020 -2030 (10-Yr)
Occupation | Base Year Employment | Projected Employment | Total % Change and #s | Annual Change # | Education |
Computer Science Teachers, Postsecondary | 1523 | 1595 | 4.73 | 7 | N/A |
Engineering Teachers, Postsecondary | 1249 | 1357 | 8.65 | 11 | N/A |
Computer and Information Systems Managers | 14659 | 16636 | 13.48 | 198 | Bachelor’s degree |
Program Announcement Form Page 3
VII. Projected Resource Needs
Cost and Funding Sources to Initiate and Operate the Program
Program Initiation Year 2026 – 2027 | Program Full Enrollment Year 2030-2031 |
Informational Category
- 1 Projected Enrollment (Headcount)
- 2 Projected Enrollment (FTE)
8 22 6 16
Projected Revenue Total from Tuition and E&G Fees Due to the Proposed Program
3
VIII. Virginia Needs. Briefly indicate state needs for the degree program. (max. 250 words)
$228,072 $622,152
State Needs. This proposed program will further the State’s effort in developing a sustainable Cybersecurity industry in the Commonwealth. Although there are bachelor’s and master’s degree programs available in cybersecurity, there is no existing doctoral-level Cyber Security Engineering degree program in Virginia. This is a unique but timely program that will address the gap in producing academic doctoral-level academic and researchers in cybersecurity.
Employer Needs. The program will prepare students for international, national, and local employment in academia, government, contractors, think tanks, and non-government organizations. The program will provide rigorous academic training in cybersecurity required by the employers. Given the location of George Mason, the program has the potential to contribute to the Government needs in cybersecurity researchers. In addition, the program will address the growing need of academics in cybersecurity for academic roles, i.e., faculties and research scientists, opening throughout the country.
Student Needs. The success of the BS and MS in Cyber Security Engineering at George Mason underlines student participation and interest in higher education in cybersecurity. As noted from the BLS data there is significant growth is expected in cybersecurity related jobs, such as 31.5% growth in Information Security analysts over the next ten years. To rigorously train the workforce and continued innovation in cyber, students will need doctoral-level education and research experience. This program will address this unmet student demand.
Cybersecurity_onAir, December 11, 2025 – 2:00 pm to 2:30 pm (ET)
This aircast is an introduction by Saanvi Munigela to a series of livestreamed Zoom interviews with GMU faculty, students, administrators, and alumni around the CYSE program. The host of this series of aircasts on Cyber Security@GMU is Connor Wadlin, Cyber onAir Hub Coordinator.
The YouTube Live audience can ask questions during the livestream in the “Open Discussion” field below.
Include your name with your question. To participate in an ongoing discussion for this aircast, go to this post.
