Coupang cyber fallout will be far-reaching

Coupang

16/12/2025 03:02

The author is a Reuters Breakingviews columnist. The opinions expressed are her own.

By Katrina Hamlin

HONG KONG, Dec 16 (Reuters Breakingviews) - The fallout from Coupang's cybersecurity breach will be far-reaching. A massive data leak at South Korea's largest e-commerce group compromised the personal information of nearly 34 million customers – around two-thirds of the total population. The saga has claimed a top executive, but U.S.-listed and headquartered $44 billion Coupang CPNG.N still faces awkward questions about its accountability.

South Korea is already reeling from multiple cyber disasters, including a malware attack on its biggest mobile carrier, SK Telecom 017670.KS, earlier this year. But the scale of Coupang's breach and the company's failure to detect it for five months stand out. President Lee Jae Myung is using the opportunity to push for increased penalties for corporate negligence.

The financial fallout could be hefty. Korea’s Personal Information Protection Act allows fines of up to 3% of revenue if data is mishandled. Based on the parent's 2024 top line, that would represent around $900 million, or roughly three times its forecast net profit for this year, per Visible Alpha.

There are other potential charges too. Disgruntled customers are mobilising. Though the bill is unlikely to go so high, the maximum theoretical amount for civil damages would be more than $11 billion if all the individuals affected were to pursue a class action and each claim 100,000 won, about $68, according to Jeong Eun Kim, a lawyer at D&A. And compliance costs will rise: SK Telecom committed to investing close to $500 million in data protection over five years in the wake of its incident. That all spells trouble for Coupang founder Bom Kim's bets on food delivery, video streaming, payments and artificial intelligence from Japan to Taiwan.

The company has shed $7 billion in market value since its subsidiary disclosed the breach in late November, and its New York shares have now halved since their blockbuster debut in 2021, but the stock is not cheap. Even after the latest selloff, it still trades on nearly 60 times forecast 2026 earnings, well above the roughly 30 and 20 times multiples at global peers Amazon AMZN.O and Alibaba 9988.HK. That now looks harder to justify.

    Kim's actions also may make the situation worse. The CEO and chair of the U.S.-listed parent
    won't attend a
     parliamentary hearing in Seoul this week. That's riled South Korean lawmakers who are eager for accountability from the firm in which he owns a 74% voting share. And, as of December 15, the parent had yet to disclose anything about the cyber breach to its investors. No wonder they are bracing for impact.

Follow Katrina Hamlin on Bluesky and Linkedin.

CONTEXT NEWS

Park Dae-jun, CEO of South Korea's biggest online retailer Coupang, has resigned, the company said on December 10.

The company, owned by U.S.-listed and headquartered Coupang Inc, said on November 29 that a cybersecurity breach had exposed customers' names, email addresses, phone numbers, shipping addresses and certain order histories, but not payment details or login credentials. The breach involved personal data of more than 33.7 million customers. Unauthorised access began on June 24, per the company.

Park acknowledged he shared responsibility for a major data breach and the way the incident was handled, according to the company statement.

Under current South Korean law, companies that fail to implement adequate data protection measures can be fined up to 3% of revenue.

Coupang's forward price-to-earnings multiple is higher than peers https://www.reuters.com/graphics/BRV-BRV/zgpoyjykzpd/chart.png

Coupang's net margins are expected to stay razor-thin https://www.reuters.com/graphics/BRV-BRV/egpbblbaxpq/chart.png

(Editing by Robyn Mak; Production by Ujjaini Dutta)

((For previous columns by the author, Reuters customers can click on HAMLIN/katrina.hamlin@thomsonreuters.com; Reuters Messaging: katrina.hamlin.thomsonreuters.com@reuters.net))