TL;DR: Coupang, South Korea's largest e-commerce platform, began issuing compensation vouchers on January 15, 2026, to 33.7 million users affected by a massive data breach. What did you get? 50,000 won (about $35) split across four single-use vouchers with minimum purchase requirements and a three-month expiration. The breach happened because a former employee kept access to internal systems after leaving. Names, emails, phone numbers, addresses, order histories: all exposed. No credit cards, but everything else.

What Happened

In late 2025, Coupang disclosed that a former employee had accessed and exfiltrated personal data from approximately 33.7 million customer accounts [1]. That's roughly 65% of South Korea's population.

What was exposed:

  • Customer names
  • Email addresses
  • Phone numbers
  • Shipping addresses
  • Order histories

What wasn't exposed (according to Coupang):

  • Credit card numbers
  • Login credentials
  • Payment information

The cause? A former employee who maintained access to internal systems after their departure. How long they had access, what exactly they took, and what they did with it, Coupang hasn't said. But the breach was significant enough to trigger a police investigation and prompt the company to flee the country. Harold Rogers, Coupang's interim CEO, left South Korea amid the investigation [2].

The Insider Threat Problem

This breach wasn't a sophisticated hack. It was an access management failure.

Former employees keeping access is depressingly common. A 2025 study found that 45% of former employees still had access to corporate data after leaving [3]. Companies are good at handing out credentials. They're terrible at revoking them.

What should happen when someone leaves:

  • Immediate credential revocation
  • Session termination across all systems
  • API key rotation
  • VPN and remote access termination
  • Audit log review for unusual access patterns

What actually happens:

  • HR forgets to notify IT
  • IT disables the main account but forgets service accounts
  • API keys stay active for months
  • VPN certs never get revoked
  • Nobody checks the logs until after the breach

Coupang is a multi-billion dollar company. They couldn't manage to revoke access from a departed employee. Your employer is probably worse.

The "Compensation"

Coupang's compensation package totals 1.685 trillion won, approximately $1.17 billion USD. Sounds impressive until you break it down [4].

What each affected user gets: 50,000 won (about $35 USD) in four single-use vouchers:

  • 5,000 won: General Coupang purchases
  • 5,000 won: Coupang Eats (food delivery)
  • 20,000 won: Coupang Travel
  • 20,000 won: R.LUX (luxury goods)

The catches:

  • All vouchers expire April 15, 2026, three months
  • Minimum purchase requirements to use each voucher
  • Only one voucher per product
  • The $20 vouchers are for services most people rarely use

See what they did? $10 in usable vouchers for everyday purchases. $40 locked to premium services that require you to spend significantly more. It's not compensation. It's a marketing campaign. They're using your personal data leak to drive sales on high-margin products.

The Legal Fallout

Not everyone is accepting the voucher deal.

Class-action lawsuit: A lawsuit has been filed against Coupang in the United States, seeking damages beyond the voucher compensation [5]. The suit alleges negligence in data protection and inadequate response to the breach.

South Korean investigation: Korean regulators are investigating Coupang's data protection practices. The country's Personal Information Protection Act requires companies to implement reasonable security measures. Letting former employees maintain access doesn't qualify.

CEO departure: Harold Rogers leaving South Korea during an active police investigation is... notable. It doesn't mean he did anything illegal. But it doesn't inspire confidence either [2].

Why This Matters (Beyond Korea)

Coupang isn't just a Korean story. It's a playbook.

For companies: This is the template for breach response. Disclose late, blame a former employee, offer insulting compensation wrapped in marketing, and wait for the news cycle to move on. Most companies will study this and copy it.

For you:

  • Your shipping address history is valuable. Anyone who knows where packages were delivered to you over years knows where you live, work, and visit.
  • Order histories reveal spending patterns, health conditions (what you buy from pharmacies), relationship status (romantic gift patterns), and more.
  • Email + phone + address = perfect phishing target. Attackers can now send you fake delivery notifications that reference your real address.

The breach didn't expose credit cards. But it exposed everything else needed for identity theft and targeted attacks.

What You Can Do

If You're a Coupang User

  • Change your Coupang password immediately
  • Enable two-factor authentication if available
  • Be extremely suspicious of any emails claiming to be from Coupang
  • Watch for phishing using your exposed address
  • Consider using a delivery locker or alternate address for future orders

Protect Yourself From Insider Threats

  • Use unique passwords for every service (password manager comparison)
  • Use email aliases so breached addresses can be disabled (email alias services)
  • Consider a virtual address for package delivery
  • Monitor your data in breaches with services like Have I Been Pwned

If You Work in Security

This is an access management failure, pure and simple. Audit your offboarding process:

  • Automate credential revocation on employment termination
  • Rotate all API keys and service account credentials
  • Implement continuous access monitoring
  • Review logs for access patterns from recently departed employees
  • Assume your offboarding process is broken until you've tested it

The Bottom Line

33.7 million people had their personal information exposed because Coupang couldn't manage to revoke a former employee's access. In compensation, they get $35 in restricted vouchers (mostly for luxury services they don't use) that expire in three months.

This is what your data is worth to companies: an inconvenient PR problem solved with insulting coupons. The CEO left the country. The customers got marketing emails disguised as compensation.

If you're wondering whether companies take your data security seriously, here's your answer: 50,000 won. Expiring April 15.

References

  1. Security Week - Coupang Data Breach Impacts 34 Million Customers (2026)
  2. Tech in Asia - Coupang CEO Harold Rogers Leaves Korea Amid Police Investigation (January 2026)
  3. Secure From Inside - Insider Threat Statistics 2025
  4. Korea JoongAng Daily - Coupang Begins Issuing Breach Compensation Vouchers (January 15, 2026)
  5. PR Newswire - Class Action Lawsuit Filed Against Coupang (January 2026)