Seoul Holds First Hearing in Coupang Data Breach Class-Action by 1,900 Plaintiffs

A large-scale class-action lawsuit against Coupang over a major data breach began its first hearing in Seoul on February 13. About 1,900 Coupang users joined the case, with 1,998 plaintiffs named in the initial filing before the Seoul Central District Court’s 22nd Civil Panel. The plaintiffs allege not only damages from the data leakage itself but also shortcomings in Coupang’s response after the incident.

The plaintiffs contend the breach exposed far more data than Coupang disclosed. They say roughly 33.67 million records, including users’ names and emails, were leaked from Coupang’s “My Information Edit” page, and that the “Delivery List” page exposed names, phone numbers, delivery addresses, and even unmasked door codes that could be used to access shared entrances. They argue Coupang repeatedly minimized the scope of the incident and say the company announced only about 3,000 leaked records in December after its own investigation.

Based on those assertions, the plaintiffs are seeking damages of about 300,000 won per person. They contend Coupang misrepresented the extent of the breach and its severity, and they are expanding the scope of the case to include alleged deceit as a broader wrongful act beyond the initial data-leak claim.

Coupang’s side asked the court to proceed with the proceedings given an ongoing investigation by Korea’s Personal Information Protection Commission (PIPC). Coupang says the PIPC’s findings—and any resulting penalties—have not yet been issued and that those results could affect the case. The company noted that in other privacy-breach cases, administrative actions and civil lawsuits often run in parallel, and it urged the court to continue with the civil proceedings.

The plaintiffs’ counsel signaled openness to additional remedies, including the prospect of punitive damages if allowed under Korea’s evolving privacy regime. The lawyer said the case could be broadened to address alleged deceptive practices and to consider punitive damages for violations of statutory safety-and-security obligations, referencing a newly implemented or upcoming provision in Korea’s Personal Information Protection Act.

During the session, the judge indicated both sides would submit positions within about a month, after which a new hearing was scheduled for the 17th of the following month. The court asked each side to clarify its stance on how to proceed given the competing interests of ongoing regulatory investigation and civil liability.

Context for international readers: Coupang operates as one of South Korea’s leading e-commerce platforms, akin to a cross-border retail model with substantial online consumer data flows. The case highlights how privacy regulation and potential punitive-damages provisions in Korea could affect global tech firms with Korean operations, influence corporate risk management and incident response, and shape how data breaches are litigated in major markets. The ongoing PIPC investigation and potential sanctions may have implications for foreign businesses handling Korean customer data and for U.S. tech and retail companies evaluating privacy programs and breach disclosures in Korea.