Below are the statements Coupang published related to the recent cybersecurity incident.
—————————————————————————————–
Originally posted on Dec 29, 2025 09:50 in KST:
Coupang Announces Compensation Plan to Restore Customer Trust… Issuing 1.685 Trillion Won Worth of Purchase Vouchers
– Compensation plan implemented for all 33.7 million customers… To be provided sequentially starting January 15, next year
– Equivalent to 50,000 won per person… Purchase vouchers for all Coupang products and for Coupang Eats, Travel, and R.LUX
– Practicing ‘customer-centric principles’… We will transform into a company trusted by customers.
Fully acknowledging its responsibility for the recent personal information leak incident, Coupang announced on the 29th that it plans to implement a 1.685 trillion won customer compensation plan to restore customer trust.
Harold Rogers, Coupang Corp.’s interim CEO, stated, “All Coupang executives and employees deeply regret the significant concern and distress the recent personal data leak has caused our customers,” adding, “We have prepared a compensation plan as part of taking responsible action for our customers.”
Coupang plans to distribute purchase vouchers worth around 1.685 trillion won to customers starting January 15 next year. The plan applies to 33.7 million customer accounts who were notified of the personal information leak at the end of last November. Purchase vouchers will be provided equally to both WOW and non-WOW members. It also includes Coupang customers who had canceled their membership and were notified of the personal data leak. The company plans to sequentially notify its 33.7 million customer accounts via text message about the use of the purchase vouchers.
Coupang will provide each customer with four single-use purchase vouchers totaling 50,000 won: all Coupang products including Rocket Delivery, Rocket Overseas, Seller Rocket, and Marketplace (5,000 won), Coupang Eats (5,000 won), Coupang Travel products (20,000 won), and R.LUX products (20,000 won).
Customers can check the purchase vouchers sequentially on the Coupang app starting January 15 and apply them when purchasing products. More specific details are scheduled to be released in a separate announcement.
Harold Rogers, Coupang Corp.’s interim CEO, stated, “Taking this incident as a turning point, Coupang will wholeheartedly embrace ‘customer-centric principles’ and fulfill its responsibilities to the very end, transforming into a company that customers can trust,” adding, “We once again deeply apologize to our customers.”
—————————————————————————————–
Originally posted on Dec 26, 2025 15:00 in KST:
Coupang’s investigation was not a “self investigation.” It was an investigation coordinated on a daily basis, under the express direction of government, over a period of several weeks.
This data leak incident has caused great concern to the public and the continued misstatements that Coupang was conducting an investigation without governmental oversight are creating false insecurity. We would like to clarify facts of our coordination process with the government.
On December 1, the government approached Coupang and asked for full cooperation.
On the 2nd, Coupang received an official, written letter with regard to the incident from the government. On an almost daily basis for the next several weeks, Coupang worked with the government to locate, contact, and communicate with the leaker. At the direction of the government, Coupang secured the leaker’s full confession, recovered all devices used in connection with the leak, and received critical details about Coupang user information. As soon as Coupang received new facts, sworn testimony, or physical materials from the leaker, Coupang turned them over to the government immediately.
On the 9th, the government suggested that Coupang contact the leaker. Coupang worked with the government on messaging and word choice in its communications. Following this, Coupang met the leaker initially on the 14th and reported this to the government. On the 16th, we completed the primary retrieval of the leaker’s desktop and hard drives as directed by the government, which was then reported. On the 17th, we provided them to the government. Coupang understands that after it delivered the hard drive to the government, the government began an immediate review. The government then requested that we recover additional devices from the leaker.
On the 18th, Coupang recovered the leaker’s MacBook Air laptop from a nearby river. Coupang used a forensics team to document and take inventory and then immediately handed the laptop over to the government. On December 21 the government let Coupang to deliver the hard drives, laptop, and all three sworn and fingerprinted declarations to the police. At all times Coupang obeyed the government’s order to keep the operation confidential and not disclose any details, even while governmental agencies, the National Assembly, and parts of the media falsely accused Coupang of failing to seriously address the leak.
On the 23rd, at the government’s request we provided additional briefing about the details of the investigation including details about Coupang’s cooperation with the government. Subsequently, on the 25th, we notified Coupang customers of the investigation status.
Coupang will fully cooperate with the ongoing government investigation and take all necessary measures to prevent any secondary harm.
—————————————————————————————–
Originally posted on Dec 25, 2025 15:35 in KST:
Coupang confirmed that the perpetrator has been identified, and that all devices used in the data leak have been retrieved. The investigation to date indicates that the perpetrator retained limited user data from only 3,000 accounts and subsequently deleted the user data.
Based on the investigation to date:
- The perpetrator accessed 33 million accounts, but only retained user data from approximately 3,000 accounts. The perpetrator subsequently deleted the user data.
- The user data included only 2,609 building entrance codes. No payment data, log-in data or individual customs numbers
- The perpetrator never transferred any of the data to others
We know the recent data leak has caused concern among our customers, and we apologize for the anxiety and inconvenience. Everyone at Coupang and the government authorities has been working tirelessly together to address this critical issue, and we are now providing an important update.
Coupang used digital fingerprints and other forensic evidence to identify the former employee who leaked user data. The perpetrator confessed everything and revealed precise details about how he accessed user data.
All devices and hard drives the perpetrator used to leak Coupang user data have been retrieved and secured following verified procedures. Starting from the submission of the perpetrator’s declaration to government officials on December 17, Coupang has been submitting all devices including hard drives to government officials as soon as we received them. Coupang has also been cooperating fully with all relevant ongoing government investigations.
From the beginning, Coupang commissioned three top global cybersecurity firms—Mandiant, Palo Alto Networks, and Ernst & Young—to perform rigorous forensic investigation.
The investigative findings to date are consistent with the perpetrator’s sworn statements: (i) that he accessed basic user data from 33 million customer accounts using a stolen security key, (ii) that he only retained user data from roughly 3,000 total accounts (name, email, phone number, address and part of order histories), (iii) that from the roughly 3,000 accounts, he only retained 2,609 building entrance access codes, (iv) that he deleted all stored data after seeing news reports of the leak, and (v) that none of the user data was ever transmitted to others.
- Perpetrator accessed basic user data using a stolen security key. The perpetrator stated that he was able to access limited user data—including names, emails, addresses, phone numbers—by stealing an internal security key that he took while still working at the company. Data logs and forensic investigation had already confirmed that the access was carried out using a stolen internal security key and included only the types of data the perpetrator specified (e.g., names, emails, addresses, phone numbers). He did not access any payment data, log-in data, or individual customs numbers.
- Perpetrator gained very limited access to order history and building entrance codes. The perpetrator stated that while accessing basic data relating to a large number of customers, he only ever accessed the order history and building entrance codes for roughly 3,000 accounts. Independent forensic analysis of data logs had already determined that the number of building entrance codes for only 2,609 were ever accessed, just as the perpetrator reported.
- Perpetrator used a desktop PC and MacBook Air laptop for the attack. The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data. Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described. The perpetrator relinquished the PC system and four hard drives used on the PC system, on which analysts found the script used to carry out the attack.
- Perpetrator sought to erase and dispose of the MacBook Air laptop in a river. The perpetrator stated that when news outlets reported on the data leak he panicked and sought to conceal and destroy the evidence. Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river. Using maps and descriptions provided by the perpetrator, divers recovered the MacBook Air laptop from the river. It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account.
- Perpetrator retained a very small amount of user data, never transferred any of the data, and subsequently deleted all the stored user data. The perpetrator stated that he worked alone, that he only retained a small amount of user data from roughly 3,000 accounts, that the user data was only ever stored on his personal desktop PC and MacBook Air laptop, that none of that user data was ever transmitted to a third party, and that he deleted the stored data immediately after seeing news reports of the leak. The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements.
We will provide updates following the investigation and plan to separately announce compensation plans to our customers in the near future.
Coupang remains fully committed to protecting customer data. We will cooperate fully with the government’s investigation, take all necessary steps to prevent further harm, and strengthen our measures to prevent recurrence.
Coupang regrets the concern this incident has caused and apologizes to those affected.
