Coupang Faces Korean Probe Over Data Breach, Taiwan Considers Class Action
South Korea’s online shopping giant Coupang remains at the center of a long-running government probe into a large-scale personal data breach, a sign of intensified scrutiny over data privacy in one of Asia’s largest markets. Separately, Taiwan’s largest nonprofit consumer protection group is weighing a class-action suit against Coupang over leaks affecting Taiwanese customers, expanding the company’s cross-border legal exposure.
The Taiwan Consumers Foundation says it is examining the specific harm suffered by victims and reviewing legal options, with a decision on whether to pursue a group lawsuit expected in the near term. The organization, described as Taiwan’s leading nonprofit in consumer protection, has criticized what it views as delay in notifying affected customers.
The foundation noted that Taiwan’s consumer protection framework could be used to hold executives personally liable for serious negligence, pointing to Article 51, which allows punitive damages of up to three times the actual damages in such cases.
In Korea, Coupang disclosed on November 29 last year that a data breach affected 33.7 million domestic customers. At that time, its Taiwan site stated that there was no evidence of Taiwanese customer data leakage.
But on the 24th of the following month, a forensic analysis confirmed that about 200,000 Taiwanese customers’ data had indeed been leaked, prompting the company to revise its earlier position and acknowledge the breach.
Taiwan’s government said it has begun an administrative review of the incident. The Ministry of Digital Development’s Digital Industry Office will soon submit an inspection report, and Coupang has been asked to provide input; a penalty-review committee is expected to be convened as part of the process.
For U.S. readers, the case matters beyond Korea because Coupang is a major Asian e-commerce platform with ties to the global supply chain and investors. The跨-border nature of the breach underscores growing regulatory risk for multinational tech and e-commerce firms, potential punitive damages under foreign consumer protection laws, and implications for cross-border data privacy compliance, international operations, and investor confidence. It highlights how data-security missteps can trigger legal actions, regulatory scrutiny, and reputational risk that span markets and affect U.S. partners and suppliers.