Coupang has formally disclosed its massive data breach affecting some 33 million customers to US regulators, filing an 8-K report with the Securities and Exchange Commission.
According to the SEC, Coupang Inc., a Delaware-incorporated company that sits atop the Korean e-commerce giant’s ownership structure, filed the report on Monday (US time). The filing said Coupang became aware of a cybersecurity incident involving unauthorized access to customer accounts on Nov. 18.
The report explained that upon discovering the incident, Coupang activated its incident-response procedures, blocked the threat actor’s unauthorized access, reported the incident to relevant Korean regulatory and law enforcement authorities and notified customers whose data may have been accessed.
It added that Coupang has determined, based on investigative findings, that a former employee may have obtained names, phone numbers, delivery addresses and email addresses associated with up to 33 million customer accounts, as well as certain order histories for a subset of affected accounts.
“To Coupang’s knowledge, the former employee has not publicly disclosed the obtained data. No Coupang customers’ banking information, payment card information or login credentials were obtained or otherwise compromised in the incident. Coupang is continuing its investigation and has engaged external forensic experts to assist with the investigation,” the filing said.
“Korean regulators have initiated investigations, with which Coupang is fully cooperating. While one or more Korean regulators may impose financial penalties, at this time we cannot reasonably estimate any amount of losses or range of losses that may result from such penalties.”
The filing noted that although Coupang’s operations have not been “materially disrupted,” the company remains exposed to various risks stemming from the incident, including diversion of management attention and potentially material financial losses resulting from lost revenue and higher expenses related to remediation, regulatory penalties and litigation.
Under SEC regulations, companies listed on US stock exchanges are required to file a report within four business days of determining that a significant event is material. Coupang’s filing, however, does not state whether it made such a materiality determination, instead noting only when it became “aware” of the incident.
Whether the SEC will take enforcement action against Coupang remains unclear, as enforcement activity against public companies has declined sharply this fiscal year, coinciding with the start of the second Trump administration. The SEC’s fiscal year runs from Oct. 1 to Sept. 30.
According to a database compiled by New York University that has tracked SEC enforcement cases since 2010, the number of SEC actions fell 30 percent in fiscal 2025 from the previous year — the steepest decline recorded in any transition year. Researchers said 93 percent of all SEC actions against publicly listed firms were initiated before the Trump administration appointed a new chair.
“What’s striking this year is not the overall decline, but when the actions occurred,” said study co-author Stephen Choi, a professor at New York University School of Law and co-director of the Pollack Center. “Nearly all of this enforcement activity took place before the SEC administration change, with very few actions under the new administration.”
Coupang’s SEC disclosure comes ahead of a parliamentary hearing scheduled for Wednesday. Founder Bom Kim, who controls about 74 percent of the voting rights of Coupang Inc., has notified lawmakers that he will not attend due to overseas business obligations. Instead, newly appointed CEO Harold Rogers is set to appear before the National Assembly.
Most Commented