Coupang Announces $11.62 Billion Compensation Amid Ongoing Responsibility Dispute

Moves to Ease the Burden of a Prolonged Crisis
Absence from hearings fuels accusations of responsibility evasion
Large-scale government task force launched to identify root causes

Coupang has entered a damage control phase following a massive personal data breach by announcing a compensation package worth approximately $34.83 per user for all members. The move, which goes beyond the company’s strict legal obligations, is widely interpreted as an effort to reduce legal and political risks associated with a prolonged crisis.

However, criticism remains over the decision to offer compensation in the form of in-house shopping credits rather than cash, while controversy has yet to subside as senior executives identified as key responsible figures have declined to appear before the National Assembly. With Coupang’s position sharply diverging from that of the Korean government, close attention is now focused on whether this compensation framework and response strategy will set a precedent for future personal data breach cases.

Preemptive Action to Head Off Lawsuits and Extra Sanctions

On the 29th, Coupang announced in an official statement that it would provide shopping credits worth approximately $34.83 per person to a total of 33.7 million customer accounts. Harold Rogers, interim CEO of Coupang Korea, said in the statement that all Coupang employees “deeply recognize the level of concern and distress caused to customers by the personal data breach that occurred within the company,” adding that the compensation package was prepared “as a responsible measure for consumers affected by this incident.” The total compensation amounts to approximately $11.62 billion, the largest payout ever announced in Korea for a single personal data breach incident.

A defining feature of the compensation plan is that it applies not only to the roughly 3,000 individuals whose data was confirmed to have been leaked externally, but to all 33.7 million accounts that received breach notifications. The compensation applies equally to paid membership subscribers and general users, and even includes customers who have already withdrawn from the platform. Starting January 15 next year, Coupang plans to distribute four types of shopping credits sequentially: a $3.45 credit usable across all Rocket Delivery, Rocket Jikgu, and marketplace products; a $3.45 Coupang Eats credit; a $13.79 Coupang Travel credit; and a $13.79 allowance for its luxury platform, R.LUX.

The scale of the compensation also represents a substantial financial burden relative to Coupang’s earnings. The $11.62 billion package is approximately 4.4 times the company’s combined net profit of about $2.65 billion for the first three quarters of this year, and more than 17 times its full-year net profit of roughly $648 million last year. When compared with Coupang’s cumulative investment of approximately $42.76 billion in domestic logistics infrastructure over the past decade, the compensation package alone amounts to nearly 30 percent of that figure. This has been widely interpreted as a signal that Coupang views the incident as a challenge to overall corporate trust rather than a standalone security failure.

Industry observers note that Coupang’s decision to adopt such an aggressive compensation plan reflects calculations around the risks of a prolonged crisis. If the data breach were to escalate into lawsuits or class actions, the company would face mounting legal costs, regulatory risks, and user attrition driven by declining platform trust. With political scrutiny intensifying and Korean government–level investigations already underway, a strategy of blanket compensation may serve as a means of extinguishing controversy at an early stage. Industry commentary suggests that Coupang has opted to minimize broader social costs rather than adhere strictly to minimum legal liability.

Nonetheless, questions remain regarding the effectiveness of the compensation. Critics argue that offering in-house shopping credits instead of cash inherently limits the real value of compensation. Of the total credits provided, only about $6.90 can be immediately used on Coupang and Coupang Eats—platforms most frequently accessed by users—while the remaining $27.93 is allocated to Coupang Travel and R.LUX, which see comparatively lower usage rates. The structure, which confines compensation to internal platforms, has fueled criticism that the plan prioritizes retaining customers and encouraging additional spending rather than delivering genuine restitution for consumer harm.

Gap Between Apology and Accountability

Further criticism has been directed at the decision by key figures, including Coupang founder and Coupang Inc. board chairman Bom Kim, Vice President Kim Yuseok, and former CEO Kang Hansung, to decline attendance at National Assembly hearings. Kim and Kim Yuseok cited scheduling conflicts for the joint hearings scheduled for the 30th and 31st, while Kang stated that he currently works in the United States and no longer represents the company, having stepped down as CEO seven months ago. With all principal figures absent, critics argue that the purpose of the hearings—examining responsibility for a serious personal data breach—has been fundamentally undermined.

The situation recalls a hearing held just one week earlier. On the 17th, interim CEO Rogers appeared before lawmakers but was unable to provide clear answers regarding the cause of the breach or the allocation of responsibility, leading to criticism that the session lacked substance. Observers warn that the upcoming joint hearings may yield similar results if they proceed without the individuals who wield actual decision-making authority. Participants scheduled to attend include Rogers, Chief Information Security Officer Brett Mattis, former CEO Park Daejun, Senior Vice President for External Affairs Min Byungki, Senior Vice President for Legal Affairs Lee Jaegul, and Senior Vice President for Communications Lee Youngmok.

A central issue is that Bom Kim, who controls roughly 70 percent of Coupang Inc.’s voting rights and is widely regarded as the company’s de facto decision-maker, will not be present. Kim has never complied with National Assembly summonses related to labor issues or platform regulation, instead communicating corporate policy exclusively through earnings calls as the head of a U.S.-listed company. Within the legislature, there is growing discussion of additional pressure measures—including a formal parliamentary investigation, compulsory attendance orders, and even consideration of entry restrictions—should Kim continue to refuse to appear.

The disparity between apology and accountability has further intensified criticism. In a written apology issued on the 28th, Kim stated that he “failed to communicate clearly and directly from the early stages of the incident, causing frustration and disappointment,” while emphasizing cooperation with the Korean government. However, the apology came a month after the breach was disclosed, and his refusal to attend legislative hearings has remained unchanged, leaving questions over sincerity unresolved. The Korea Consumer Organizations Council condemned Coupang’s response as “arrogant,” calling for a direct apology from the top executive, transparent disclosure, and substantive relief for affected users.

“Government Directive” vs. “Unverified Results”

Earlier on the 25th, Coupang stated that it had cooperated with the Korean government to obtain testimony from a former employee suspected of involvement in the data breach and had secured relevant devices, including a desktop PC and a MacBook Air allegedly used in the incident. Coupang emphasized that these actions were taken not as part of an internal probe, but at the direction of the Korean government. The company claimed that a review of testimony and digital forensic analysis showed that approximately 3,000 customer records had been stored and that no external transmission had occurred, adding that all confirmed data had since been deleted and that relevant materials and equipment had been handed over to the authorities.

However, explanations from Korean government agencies diverged from Coupang’s account. The Ministry of Science and ICT stated that Coupang’s claims had not been verified by the joint public–private investigation team, raising questions over whether the company had unilaterally announced its own findings. The National Intelligence Service also distanced itself, stating that it was not in a position to issue instructions to Coupang and had not done so. While the agency acknowledged conducting information-sharing discussions from a national security perspective given the possibility of large-scale foreign involvement, it denied leading the investigation or issuing specific directives.

Coupang responded with a renewed rebuttal on the 26th, asserting that the investigation had been conducted over several weeks in close daily coordination with the Korean government. According to Coupang, authorities proposed contacting the suspect on the 9th, with the first meeting occurring on the 14th. On the 16th, the suspect’s desktop PC and hard drive were retrieved and delivered to the authorities, followed by the recovery of a MacBook Air from a nearby stream on the 18th, which was immediately handed over after forensic procedures. On the 21st, with government approval, Coupang submitted hard drives, laptops, and three signed witness statements—including fingerprint verification—to the police, while refraining from public disclosure at the request of investigators.

These claims partially conflict with police statements. A police official noted that prior to the voluntary submission of evidence on the 21st, there had been no prior coordination with Coupang regarding suspect contact or evidence collection, adding that it remained unclear which agency Coupang referred to as “the government.” As a result, the dispute over Coupang’s assertion of acting under government instruction versus the actual role of investigative authorities continues to intensify. With the scope and leadership of public–private cooperation yet to be clearly defined, controversy is mounting over whether Coupang’s response was appropriate.

Separately, the Korean government has launched a comprehensive inter-agency response in light of the incident’s broader impact. Seven agencies—including the Ministry of Science and ICT, the National Intelligence Service, the National Police Agency, the Personal Information Protection Commission, the Korea Communications Commission, the Financial Services Commission, and the Fair Trade Commission—have formed a task force to respond to the Coupang hacking incident. The matter was tabled as an emergency agenda item at a ministerial meeting chaired by Deputy Prime Minister Bae Kyung-hoon on the 18th, with Vice Minister Ryu Je-myung appointed as task force head. The task force plans to focus on sharing investigative updates, strengthening user protection measures, and reinforcing accountability mechanisms for Coupang going forward.