Customers are walking away from South Korean e-commerce platform Coupang in the wake of a customer data breach and a series of communication blunders that have shaken consumer confidence and drawn intense legal and regulatory scrutiny.
Coupang, often referred to as the Amazon of South Korea, admitted on November 29 that it became aware on November 18 of unauthorized access to personal data in around 4,500 customer accounts. Subsequent investigation found that the breach affected 33.7 million customer accounts, all in South Korea, which has a population of 52 million. The breach started on June 24 through overseas servers, the company stated.
“The exposed data is limited to name, email address, phone number, shipping address, and certain order histories and does not include any payment details, credit card numbers, or login credentials, which remain securely protected.”
Coupang offered “sincere apologies for any concern this may have caused” and warned customers to “exercise vigilance against phone calls, text messages, or other communications impersonating Coupang.” The company’s CEO, Park Dae-jun, posted another apology on its website on November 30.
Within days, the e-commerce giant saw its daily active user count drop by more 1.8 million people.
Coupang’s daily active users (DAU) dropped to 15.94 million on December 6, from a record high of 17.99 million on December 1 and 16.25 million on November 29, according to Mobile Index, a data analytics platform owned by IGAWorks.
The reversal comes after an initial surge in app traffic as customers rushed to reset their passwords or delete their accounts. Some of those users appear to be leaving the app for competitors like Gmarket, which saw its DAUs increase by 5.81 percent from 1.36 million to 1.43 million between November 29 and December 5. During the same period, 11th Street saw a 14.33% percent increase, while traffic at Naver Plus Store jumped by 23.1 percent.
Coupang’s initial response and questionable crisis communication are contributing to the abandonment.
The Apology That Looked Like a Promotion
The tipping point for many users appears to be Coupang’s handling of its public apology. The company already faced criticism for a quickly-removed statement that downplayed the incident as a data “exposure” rather than a “leak”.
When the revised apology was posted following a government request to correct the language, the company made a CX error. Journalists and users sharing the updated notice on platforms like South Korean messaging app KakaoTalk and X (formerly Twitter) were shown the preview title “Coupang-recommended Coupang-related benefits and special deals.”
This promotional phrasing, appearing next to a link to a data breach apology, suggested to customers that the retailer was prioritizing marketing over crisis communication, fueling perceptions of insincerity. The company eventually corrected it to read “Re-notification Regarding the Personal Information Leak Incident” and blamed “a temporary error during technical processing,” but by then, the damage to consumer trust was done.
Legal Pressure Mounts
The customer exodus is occurring as the company comes under intensifying legal and government scrutiny as nearly two-thirds of the country’s population has been affected by the breach.
The U.S. office of South Korean law firm SJKP LLP has begun inviting users of “Coupang Shopping, Coupang Eats, Coupang Play, and other services who believe their data may have been exposed” to join a proposed class action lawsuit.
On December 9, police officials from the Seoul Metropolitan Police Agency’s cyber investigation team reportedly raided Coupang’s headquarters to search for internal documents and records. The agency is looking to assess possible security lapses and track down the suspect behind the breach, which allegedly may involve a former employee.
And Coupang founder and Chairman Kim Bom-suk has been summoned to appear at a public National Assembly hearing on December 17 as a key witness. Lawmakers say earlier emergency questioning left major gaps in the company’s explanations. Park, former CEO Kang Han-seung, Chief Information Security Officer Brett Matthes and senior government officials and cybersecurity experts will also testify.
South Korea’s political leadership is signaling tough consequences ahead. President Lee Jae-myung has called for stronger penalties for corporate negligence in safeguarding customers’ personal information, noting that the Coupang breach had become a national wake-up call. Under current law, companies that fail to maintain adequate data protection controls can be fined up to 3 percent of their annual revenue. With Coupang reporting 38.3 trillion won in revenue for 2024, the company could face a penalty exceeding 1 trillion won (about $680 million).
On December 8, the Office of the President ordered “immediate implementation of measures to prevent secondary damage, citing growing public anxiety” over the potential for the leaked customer data to be used for online fraud or credit card fraud, and emphasized that the company “must clearly present a plan for taking responsibility in case of damage.”
“As media reports have confirmed that Coupang added a disclaimer to its terms and conditions stating that it is not responsible for any damages suffered by customers due to hacking, we have instructed a thorough review and corrective action to address any terms and conditions that are unilaterally disadvantageous to consumers.”
The e-commerce giant said in its statement that it has “blocked unauthorized access and strengthened internal monitoring,” hiring an independent security firm to assist its ongoing investigation. “Coupang is currently reviewing changes to its existing data security devices and systems to better protect customer data from future incidents,” Park added.
But the narrative emerging is of a company whose customer experience failed after its technology was compromised.
The crisis highlights how quickly customer attrition can accelerate when trust is lost and the importance of accuracy and transparency in shaping public perception when communicating a security incident. With users continuing to leave and regulatory pressures mounting, Coupang now faces a long path to rebuilding trust.