hankyoreh

Harold Rogers, the interim CEO of Coupang Corp. in Korea, arrives at the Seoul Metropolitan Police building for questioning on Jan. 30, 2026. (Ryu Woo-jong/Hankyoreh)

Criminal liability for e-commerce giant Coupang’s data breach will be determined through a police investigation following Tuesday’s release of the findings of a joint public-private probe that revealed that over 30 million accounts were affected. Korean police are investigating everything from the actual leak by a former Coupang employee to the suspicions that the company attempted to cover up the incident through an internal probe.
 
According to police and other authorities, the Seoul Metropolitan Police Agency’s task force investigating Coupang has broken down the case into three main areas: the suspected perpetrator of the leak, the announcement of the findings of Coupang’s internal probe, and the question of Coupang’s corporate liability.
 
The police have thus far been carrying out their investigation based on evidence obtained in a week-long intensive raid on Coupang Corp.’s headquarters in Seoul in December, and materials voluntarily submitted by the company.
 
The investigation into the former Coupang employee suspected of hacking information networks and leaking customer data is now in its final stages. However, a key issue that remains is securing the custody of the suspect, who is a Chinese national and who currently resides in China.
 
From the outset, Korean police requested the cooperation of Interpol and others to facilitate the suspect’s extradition, but have reportedly not yet received any substantive responses. Park Seong-ju, the chief of the police-run National Office of Investigation, who departed on Monday for a visit with China’s Ministry of Public Security, is said to have requested international cooperation from China.
 
Police are also continuing to look into Coupang’s arbitrary investigation into its data leak and its subsequent publication of findings that claimed only around 3,000 users were affected.

The police estimate that the breach affected information from at least 30 million users and believe that Coupang’s internal findings are faulty, and recently summoned Harold Rogers, the company’s interim CEO, to question him on the particulars of the internal investigation.
 
Coupang previously attempted to downplay the severity of the leak in a report submitted on Dec. 29 to the US Securities and Exchange Commission, claiming that the “perpetrator only saved limited data from approximately 3,000 customer accounts.”
 
The investigations that will determine Coupang’s corporate liability for the data leak will have major consequences for the users whose data was leaked.

Daeryun Law Firm filed a class action against Coupang Corp. and its former CEO, Park Dae-jun, in December, on behalf of a group of victims affected by the leak, alleging violations of the Personal Information Protection Act and other charges.

South Korean law stipulates that companies that neglect their duty to protect personal information will not face criminal punishment, but penalty surcharges. However, the plaintiffs are classifying Coupang’s mismanagement and inadequate response as a “provision of personal information to a third party,” which is subject to punishment under the criminal code. 
 
Whether Coupang is found liable could also influence the damages lawsuit against Coupang, which is said to involve over 500,000 complainants.

“We have received the results of the joint public-private investigation, and we are determined to conduct further rigorous probes into the remaining allegations surrounding Coupang,” a police official commented.

By Bang Jun-ho, staff reporter; Cho Hae-yeong, staff reporter

Please direct questions or comments to [english@hani.co.kr]