Coupang Agrees to Record $1.1 Billion Payout After Massive Data Breach

Seoul, South Korea — In the largest consumer-data settlement in Asian e-commerce history, Coupang has pledged $1.1 billion in compensation to users whose personal information was exposed during a 2022 cyber-intrusion that security researchers now call "the breach that refused to die."

The announcement, delivered at dawn in a glass-walled conference room overlooking the Han River, landed like a thunderclap across Korea’s already jittery tech sector. Inside, Coupang’s newly appointed chief privacy officer, Kim Min-jun, read from a single sheet of paper: "We failed our customers. Today we begin to make it right."

The Hack That Kept Growing

What began as a suspicious login alert in March 2022 snowballed into a cascading series of database exposures—names, birthdays, phone numbers, partial credit-card details, even the occasional shopping wish-list—spilling onto dark-web forums for months. Cyber-security firm IssueMakers estimates that at least 12 million South Koreans, one in every four adults, were touched by the leak.

"Every time we thought we’d patched the last hole, another door swung open," said a former Coupang incident-response engineer who spoke on condition of anonymity. "It felt like bailing water with a sieve."

From Apology to Action

Under the binding settlement filed with the Seoul Central District Court, Coupang will:

• Deposit $880 million into a court-managed fund for direct cash payouts to verified victims;
• Earmark $150 million for two years of free credit-monitoring and identity-theft insurance;
• Spend $70 million upgrading its cloud infrastructure and hiring third-party ethical-hacker teams.

Payments to individuals will average roughly $73—modest at first glance, yet enough, regulators argue, to cover new phone numbers, replacement cards, and the intangible cost of sleeping soundly again.

Market Shockwaves

Shares in the New York–listed retailer plummeted 11 % within minutes of the settlement news, erasing $6.4 billion in market value before a late-day bounce. Analysts at KB Securities downgraded the stock to "neutral," warning that "litigation overhang will shadow earnings well into 2025."

Competitors smelled blood. Naver, Korea’s dominant search-and-shopping portal, launched a same-day delivery guarantee in Busan and Incheon, markets Coupang has long dominated. Smaller rival 11st even rolled out a tongue-in-cheek ad campaign: "Your data stays with us—because it never leaves."

Global Ripple Effects

European privacy watchdogs are watching closely. Giovanni Buttarelli, a data-protection adviser to Brussels, told reporters the payout "sets a continental benchmark" for GDPR-class damages in future cross-border cases. Meanwhile, U.S. plaintiffs’ firms have already filed feeler lawsuits in Delaware, hoping to piggyback on Korea’s discovery.

Voices from the Checkout Line

At a Coupang-manufactured grocery warehouse in Gwangmyeong, 38-year-old shopper Park Ji-eun tapped her phone, skeptical. "I’ll believe the money when it hits my bank account," she said, clutching a recyclable bag. "Until then, I’m back to paying cash at mom-and-pop marts."

Others see a silver lining. College student Lee Hyun-woo, who spent last summer tracking breach notifications instead of studying, called the settlement "a wake-up tax on every company that hoards our clicks."

What Happens Next

Claim filing opens next month through a government portal. Those who previously accepted smaller goodwill vouchers will be eligible for top-up amounts. Coupang must submit quarterly audit reports for three years; failure triggers an additional $100 million penalty.

As morning traffic thickened along the river, Kim Min-jun ended the press conference with a bow so deep his forehead nearly brushed the lectern. Cameras clicked. Somewhere inside the building, a new security operations center—walls lined with 55-inch threat-intelligence screens—hummed to life, promising, at least for now, that the next breach would find fewer open doors.