Sign in Subscribe
By Ian Werther in News

Nearly 2,000 sue Coupang in Seoul for civil damages over data breach

Nearly 2,000 people who say they were harmed by Coupang’s large-scale data breach have filed a civil damages suit against the Seoul-based e-commerce giant. The first hearing in the case, brought by 1,998 plaintiffs, was held in the Seoul Central District Court on the afternoon of the 13th.

The plaintiffs’ lawyers are asking for 300,000 won per person as moral damages, along with compensation for delayed damages. They describe the breach as unprecedented in scale and say it involved extensive leakage of personal data, beyond what would normally be expected in a single incident. They cited specific data categories and volumes they allege were exposed by Coupang.

According to the plaintiffs, the data involved include: delivery addresses, phone numbers and names tied to about 148.05 million instances; names and email addresses totaling about 33.67 million records; roughly 100,000 order histories; and around 50,000 shared building-entry passwords. The lawyers argued that such widespread exposure increases the risk of harm to victims and could enable fraud and other crimes for years to come.

Screenshot from privacyguides.org showing the recommendations page for data and metadata redaction tools.
Representative image for context; not directly related to the specific event in this article. License: CC0. Source: Wikimedia Commons.

Coupang, for its part, declined to provide a concrete position at the hearing. The company said any civil proceedings should wait for the results of ongoing investigations by Korea’s privacy regulator and any administrative litigation outcomes before proceeding in civil court. It indicated that civil action would generally follow the administrative results, though it did not specify a timeline.

The presiding judge, Park Jung-ho of the Civil Agreement 22 at Seoul Central District Court, scheduled the case for ongoing hearings on a roughly monthly cadence. The court set the next hearing for 4:00 p.m. on the 17th of next month.

A schematic of the difference in workflow between data-driven and data-brokering companies that shows how each type of company generates revenue from data.
Representative image for context; not directly related to the specific event in this article. License: CC BY-SA 4.0. Source: Wikimedia Commons.

Plaintiffs’ counsel criticized Coupang’s “self-investigation” of the breach, which they say concluded only about 3,000 records were leaked. They argued that public disclosure of leaked data can drive criminal activity, including phishing schemes, and stressed that personal data breaches extend beyond the victims’ control and immediate awareness.

The trial centers on a December incident that Coupang has acknowledged as a privacy breach. The court hearing and the administrative investigation unfold at a time of heightened scrutiny over how major tech and e-commerce platforms protect customer data in Korea, and how such cases are resolved through civil and regulatory channels.

For international readers, the case matters beyond Korea because Coupang is a major regional e-commerce platform with global investor interest. How Korea’s courts, regulators and private plaintiffs address large-scale data breaches can influence global standards for data privacy, risk management in tech-enabled services, and the behavior of multinational companies operating in Asia and beyond. The outcome could affect expectations for data protection, regulatory penalties, and the reliability of risk disclosures for markets that rely on cross-border data flows and digital commerce.

Subscribe to Journal of Korea

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe