First victim confirmed in Coupang data breach fallout

Secondary harm stemming from Coupang’s massive personal data breach has now become a reality. The first confirmed case involves a victim who was deceived into transferring 11 million won after being told that a so-called mule bank account had been opened using personal information leaked from Coupang and that the victim was therefore suspected of involvement in criminal activity. The incident occurred as Coupang has effectively failed to take meaningful steps to prevent secondary damage or offer compensation.

On Dec. 18, the Financial Supervisory Service said it had received five reports of suspected secondary harm and confirmed that at least one actual damage case had occurred, prompting it to raise the consumer alert level from “caution” to “warning.” Examples of voice phishing and smishing attempts released that day showed criminals impersonating government agencies and claiming that leaked personal data had been used in crimes to lure victims to phishing websites, or offering to help secure compensation while inducing them to click malicious links. With the personal information of 33.7 million people exposed, virtually anyone can become a potential target, inevitably heightening public anxiety.

Even so, Coupang continues to insist that no secondary harm has been confirmed, effectively turning a blind eye to the ongoing situation. The company’s measures to prevent further damage have largely been limited to urging customers to exercise caution through its website and text messages. It has also failed to provide a clear explanation of how it intends to compensate victims for the data breach and its resulting harm. At a Dec. 17 hearing of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, the company offered only a general statement that compensation measures were under internal review.

Questions are growing about whether Coupang has any genuine intention of resolving the crisis, as founder and Coupang Inc. Chairman Kim Beom-seok, along with former CEOs Park Dae-joon and Kang Han-seung, who recently led the company, all failed to attend the hearing aimed at determining accountability. The reasons cited for their absence, including global business obligations and resignation from executive positions, were widely regarded as unconvincing. Instead, Harold Rogers, the interim CEO and a U.S. citizen, appeared at the hearing but provided perfunctory responses throughout the more than 13-hour session, citing communication difficulties due to his limited Korean proficiency. Ultimately, the National Assembly filed complaints with prosecutors against Kim and the two former CEOs and decided to pursue a joint hearing involving all relevant standing committees, along with a full parliamentary investigation.

The first step toward resolving the crisis is for Chairman Kim, who holds effective control over Coupang, to appear publicly, issue a responsible apology, and clearly outline concrete measures for compensation and preventing a recurrence. Without such action, consumer anger and distrust are likely to escalate to an unmanageable level.