hankyoreh

Coupang’s headquarters in Seoul, which was raided by Seoul police on Jan. 29, 2026. (Yonhap)

Coupang disclosed on Thursday that investigators had confirmed that personal information from 165,000 more accounts had been compromised in the massive data breach revealed last November.  

The Korean e-commerce giant had earlier claimed, based on an internal probe, that only 3,000 accounts were compromised in the personal information leak.

Coupang notified those 165,000 account holders by text message on Thursday that their personal information had been leaked alongside the 33.7 million accounts that were already known.

“The investigating authorities have confirmed that information was leaked from around 165,000 more accounts in the same leak disclosed last November. This notification does not mean that another leak has occurred, but rather that we have confirmed that information from more accounts was leaked in the previous incident,” Coupang said in its text message.

According to Coupang, the leaked information consisted of what customers had saved in their address book: names, phone numbers and mailing addresses.

“The leak did not include payment information, login information, email addresses, order history, or lobby door codes. We notified our customers about the additional information that was leaked at the recommendation of the Personal Information Protection Commission,” a Coupang spokesperson said.

Despite the government’s announcement that the data breach affected over 30 million user accounts, Coupang had insisted that the number was closer to 3,000. Coupang based that claim on the results of its own internal investigation, in which it said a former employee identified as the perpetrator had only saved user data from around 3,000 accounts on a laptop.
 
The revelation that data for an additional 165,000 accounts has been leaked — a 55-fold increase from Coupang’s original claim of 3,000 — is once again calling into question the credibility of the company’s internal investigation.
 
Coupang has changed its story multiple times as it relates to the data breach. On Nov. 20, 2025, Coupang originally announced that the personal information of 4,500 users had been exposed, only to correct itself nine days later by saying that over 30 million accounts had been affected.
 
The company doggedly maintained the use of the word “exposed” in its announcements, only to change the phrasing to “leak” after the Personal Information Protection Commission ruled that Coupang needed to make it unambiguous that customer data had been leaked. 
 
The police were set to summon Harold Rogers, Coupang Corp.’s interim CEO, on Friday for questioning on suspicions of perjury before a National Assembly hearing. Rogers’ appearance before the police comes a mere week after a first round of questioning on Jan. 30, when he was interrogated on the results of Coupang’s internal investigation into the data breach.
 
Rogers has since been accused of giving false testimony at a joint parliamentary hearing on Coupang held in late 2025.
 
Following the massive data breach, Coupang stirred up controversy by announcing the results of its internal probe, during which it had contacted the suspected perpetrator. 
 
During the parliamentary hearing, Rogers testified that the investigation had been carried out at the instruction of the National Intelligence Service, but the spy agency denied the claim, calling it a “blatant falsehood.” 

“[The NIS] never gave any such orders or confirmations of that nature,” the agency said. 
 
The complaint against Rogers was then filed by the National Assembly’s Science, ICT, Broadcasting and Communications Committee.

By Yi Ju-been, staff reporter

Please direct questions or comments to [english@hani.co.kr]