Search All Site Content

Total Index: 6911 publications.

Subscribe to our Mailing List!

Sign up for our mailing list to keep up to date on all the latest developments.

The Peninsula

The Coupang Data Breach: A Timeline

Published February 22, 2026
Author: Yohan Moon
Category: Indo-Pacific, Technology

South Korea’s largest online retailer, Coupang, suffered a massive data breach last year that exposed the personal information of more than 33 million users. The breach triggered a sweeping response from the South Korean government, raising questions about jurisdiction, as Coupang is based in Seattle, Washington.

This timeline tracks major public developments related to the breach and the legal, regulatory, and congressional activity it has set in motion in the United States and South Korea, updated in reverse chronological order with sources linked to each entry.

February 12, 2026

Coupang disputes findings from a South Korean government-led investigation, arguing that while investigators cited roughly 50,000 views of pages containing building lobby access codes, only 2,609 accounts with such codes were actually accessed. The company says no secondary harm or dark web activity has been detected.

South Korea’s Ministry of Justice states that three U.S.-based investors—Abrams Capital, Durable Capital Partners, and Foxhaven—submitted additional “notice of intent” filings to join the investor-state dispute settlement (ISDS) process under the U.S.-South Korea Free Trade Agreement’s investment chapter, bringing the total number of investors involved to five.

February 11, 2026

A U.S. House Judiciary Committee subpoena is reportedly expected to proceed through a closed-door committee deposition rather than a public hearing. Coupang’s interim CEO, Harold Rogers, requests to appear on February 23. The committee’s inquiry seeks company communications related to the Korean government’s actions and frames the deposition as part of an oversight investigation.

February 10, 2026

South Korea’s Ministry of Science and ICT releases the results of a joint public-private investigation into the data breach, including findings on the scale of impacted accounts and the extent of access to “delivery address list” pages. The ministry characterized the breach as “a management problem“ rather than a sophisticated cyberattack. The ministry states that a former Coupang engineer who left the company in November 2024 stole an internal signing key that enabled unauthorized access to customer accounts.

February 6, 2026

Yonhap reports that Coupang’s interim CEO appears for questioning a second time, which lasts approximately fourteen hours, regarding allegations tied to prior testimony and related investigative issues.

Korea’s Personal Information Protection Commission (PIPC) states it is continuing a thorough investigation and will verify new reports of additional affected accounts identified during Coupang’s internal review of a “delivery address list,” including whether the data breach extends beyond registered Coupang users.

The U.S. House Judiciary Committee announces it has issued a subpoena to Coupang for documents and communications and requests testimony as part of an oversight investigation focused on the alleged discriminatory targeting of U.S. companies.

Coupang states it will fully cooperate with the U.S. House Judiciary Committee’s subpoena, including producing requested documents and providing witness testimony, and says it will continue to cooperate with South Korean investigations related to the incident.

February 5, 2026

Coupang confirms that additional user accounts were affected by a “delivery address list” breach, with at least 165,000 more accounts affected. Personal data included names, phone numbers, and addresses.

The U.S. House Judiciary Committee issues a subpoena to Coupang as part of a probe into alleged discrimination against U.S. companies. They specifically request that Rogers appear on February 23 and seek communications between Coupang and South Korean government entities related to the company’s compliance with foreign laws and government-initiated actions, while warning that noncompliance could carry legal consequences under U.S. congressional procedures.

January 30, 2026

Coupang’s interim CEO is questioned by police.

January 27, 2026

President Donald Trump announces he will raise tariffs on certain South Korean imports in a Truth Social post.

House Judiciary Committee Republicans repost Trump’s tariff threat, opining that, “This is what happens when you unfairly target American companies like Coupang.” This post is shared by leading Republicans, including House Judiciary Committee member Darrell Issa (R-CA), who warns that “targeting of American companies” like Coupang “won’t be tolerated.”

January 23, 2026

Coupang says it was not involved in an investor petition to the U.S. trade representative.

Korean Prime Minister Kim Min-seok tells U.S. lawmakers there is “absolutely no discrimination“ against Coupang, framing the probe as routine enforcement rather than trade discrimination.

January 22, 2026

Two U.S. investment firms, Greenoaks Capital Partners and Altimeter Capital Management, file a petition seeking relief under Section 301 with the Office of the United States Trade Representative. They issue a notice of intent to the Korean government, stating their intent to pursue arbitration against it and claiming, among other things, that the Lee Jae Myung administration is seeking to undermine U.S. competitiveness on the Korean Peninsula.

January 14, 2026

Reports emerge that the PIPC instructed Coupang to stop publishing unconfirmed information related to the incident while the investigation is ongoing.

January 13, 2026

The U.S. House Committee on Ways and Means’ Trade Subcommittee holds a hearing titled “Maintaining American Innovation and Technology Leadership,” which includes references to digital trade and treatment of U.S. firms abroad.

At the hearing, Subcommittee Chairman Adrian Smith says “Korean regulators” are “aggressively targeting U.S. technology leaders.” Chairman Smith added that, “One example would be Coupang through discriminatory regulatory actions.”

December 30, 2025

The National Assembly files a perjury complaint against Coupang’s interim CEO after Rogers testified at a joint hearing that Coupang’s internal investigation was conducted at the direction of the National Intelligence Service (NIS) and that the NIS asked the company to contact the former employee responsible for the breach. The NIS denies both claims and requests that the National Assembly file the complaint.

December 29, 2025

Coupang unveils a nearly KRW 1.7 trillion (approximately USD 1.2 billion) compensation plan for tens of millions of users affected by the data breach.

December 26, 2025

Coupang publishes a detailed account of its cooperation with Korean authorities, pushing back against claims that an internal review was conducted without adequate oversight. The company describes weeks of coordination with the government, including efforts to recover devices linked to the breach.

December 25, 2025

Coupang releases a statement accusing a former employee of accessing data from roughly 33 million accounts. The firm says the employee saved only about 3,000 user records and did not send any personal data to any third party.

December 3, 2025

The PIPC demands that Coupang issue a corrected notice to users, specifying that a “leak” occurred rather than the firm’s earlier description of data “exposure.”

December 2, 2025

President Lee calls for tougher penalties against corporate negligence in data breaches during a cabinet meeting, describing personal data protection as a key asset in the age of AI and digitalization.

Coupang’s Chief Information Security Officer, Brett Matthes, tells a National Assembly hearing that the perpetrator likely held a “privileged role” within the organization that would have enabled access to a private encryption key.

December 1, 2025

Reports emerge that the Korean police have opened a probe into the breach, including the reported scale of affected customers and the government’s initial investigative posture.

November 29, 2025

Coupang reveals to the public for the first time that the personal data of approximately 33.7 million users was leaked and that authorities are investigating.

November 19, 2025

Coupang reports the breach to Korean authorities at 9:35 p.m., more than fifty-three hours after internal identification, exceeding the twenty-four-hour reporting requirement under South Korea’s information network law.

November 18, 2025

Coupang internally identifies unauthorized access to customer accounts, initially estimating roughly 4,500 accounts affected. The breach was reportedly discovered only after the former employee sent threatening anonymous emails to the company and individual users.

November 13, 2025

The White House and the Office of the U.S. Trade Representative release fact sheets documenting an understanding between the United States and South Korea on trade and investment as part of the U.S.-Korea trade deal, including language on digital trade later referenced in congressional and investor filings.

The fact sheet states, “The United States and the ROK commit to ensure that U.S. companies are not discriminated against and do not face unnecessary barriers in terms of laws and policies concerning digital services, including network usage fees and online platform regulations, and to facilitate cross-border transfer of data, including for location, reinsurance, and personal data.”

August 25, 2025

Following a bilateral meeting with President Lee, President Donald Trump warns in a Truth Social post that he will impose additional tariffs and export restrictions on countries with digital taxes or rules he describes as discriminatory toward U.S. technology.

June 30, 2025

U.S. Representatives Adrian Smith (R-NE) and Carol Miller (R-WV) issue a letter signed by forty-one congressional colleagues addressed to U.S. Trade Representative Jamieson Greer, Secretary of the Treasury Scott Bessent, and Secretary of Commerce Howard Lutnick, asking the Trump administration to include digital trade barriers as part of its trade negotiations with Korea.

April 14, 2025

A former Coupang employee begins unauthorized access to the company’s systems, a breach that continues until November 8, 2025, according to findings from a Korean government-led investigation published in February 2026. Investigators also identify traces of an earlier attempted intrusion around January 2025.

 

Yohan Moon is a Researcher at the Korea Economic Institute of America. The views expressed here are the author’s alone.

Feature image from Bonnielou2013 via CC BY-SA 4.0

Note: This timeline compiles publicly reported developments and does not reflect the views or analysis of the Korea Economic Institute of America. Entries draw primarily from media reports, as well as government releases, company statements, U.S. congressional documents, and trade filings.

KEI is registered under the FARA as an agent of the Korea Institute for International Economic Policy, a public corporation established by the government of the Republic of Korea. Additional information is available at the Department of Justice, Washington, D.C.

Return to the Peninsula

Stay Informed
Register to receive updates from KEI

KEI is registered under the FARA as an agent of the KIEP, a public corporation established by the government of the Republic of Korea.
Additional information is available at the U.S. Department of Justice, Washington, DC.