Taiwan Was Different: The 5 Critical Differences in How Korean and Taiwanese Governments Responded to the Coupang Data Breach
In Coupang's 33.7 million personal data breach, Taiwan moved swiftly with independent investigations, fines pressure, and victim compensation demands — while Korea lagged behind in both speed and intensity. Today (Feb 27), as Coupang's Q4 operating profit plummeted 97% and turned to a net loss, the legislative follow-up to the newly passed Personal Information Protection Act amendment ('Coupang Prevention Act') is once again heating up.
Why does this matter right now? The Coupang incident is more than a simple security failure. Looking at how two governments responded to the same incident at the same company reveals exactly where Korea's personal data governance stands.
TL;DR
- November 2025 Coupang data breach: Final confirmed scale of 33.7 million records (Korea) + 200,000 in Taiwan
- Taiwan's Ministry of Digital Affairs (MODA) launched an independent investigation and applied fine pressure immediately after the incident → Coupang acknowledged Taiwan victims within 3 months
- Korea saw prolonged disputes over investigation authority, delayed fines, and no class-action support system for victims
- On February 12, 2026, the 'Coupang Prevention Act' (Personal Information Protection Act amendment) passed the National Assembly — enabling fines up to ₩5 trillion for breaches of 10 million+ records
- Today (Feb 27), Coupang Inc. Q4 results: Operating profit down 97% and net loss, company claims "Q1 recovery"
📋 The Facts: What Happened
On November 29, 2025, Coupang disclosed that a former employee had leaked customer data. The initial announcement stated "approximately 3,300 cases," but a forensic investigation by Mandiant, a Google subsidiary, confirmed in February 2026 that the total was 33.7 million records.
Coupang initially denied evidence of harm to Taiwanese customers, then acknowledged on February 25 that 200,000 additional records were included.
| Item | Details |
|---|---|
| Breach Disclosed | November 29, 2025 |
| Final Breach Scale | 33.7 million records (Korea) + 200,000 (Taiwan) |
| Data Leaked | Names, phone numbers, delivery addresses, order history (payment info and passwords NOT included) |
| Internal Perpetrator | Former employee; all devices claimed to have been recovered |
| Q4 Operating Profit Change | Down 97% year-on-year, net loss reported |
| Stock Price Impact | Share price fell after breach disclosure; U.S. investors filed international arbitration against Korean government |
🔥 Why Is This Back in the News Today?
Three stories broke simultaneously today, February 27, 2026:
- Coupang Inc. Q4 earnings release — Operating profit down 97%, net loss recorded. Company claims "negative December impact, Q1 recovery underway"
- Surge in comparative coverage of Taiwan's response — Reports framing Taiwan's government as faster and more decisive dominate the news portals
- Accelerating debate on implementing the 'Coupang Prevention Act' — Discussions on subordinate legislation and fine calculation standards following the February 12 passage are intensifying
🌏 Context: What Was Different Between Taiwan and Korea?
Difference 1 — Speed of Investigation
Taiwan's Ministry of Digital Affairs (MODA) launched an independent investigation immediately after the breach was disclosed. Korea announced a 'joint investigation' between the Personal Information Protection Commission and Coupang, but the government later denied this arrangement, leading to months of disputes over who was actually in charge.
Difference 2 — Pressure Through Fines
Taiwan's Personal Information Protection Act enables immediate administrative action for violations. Taiwanese authorities used the investigation findings as leverage against Coupang, ultimately securing an admission of harm to Taiwanese customers within three months. In Korea, the administrative process for levying fines was structured to take several months.
Difference 3 — Consumer Compensation Requirements
Taiwanese authorities demanded that Coupang directly notify affected customers and submit a compensation plan. In Korea, Coupang voluntarily provided three months of coupons, but no mandatory compensation order was issued.
Difference 4 — Legislative Speed
Taiwan acted immediately based on its existing personal data protection framework. Korea responded to this incident by pushing through the 'Coupang Prevention Act' (Personal Information Protection Act amendment), which only passed on February 12, 2026. The bill enables fines of up to 3% of revenue for intentional or grossly negligent breaches, or breaches of 10 million+ records — up to approximately ₩1.5 trillion based on Coupang's annual revenue of ₩50 trillion.
Difference 5 — Foreign Investor Reaction
As Korea's passive response became known, U.S. investors filed international arbitration against the Korean government in an unprecedented move. Analysts concluded that the perception of excessive protection of a domestic company had eroded foreign investor trust.
📈 Outlook: Will the 'Coupang Prevention Act' Have Real Teeth?
The passage of the Coupang Prevention Act marks a step forward for Korea's personal data protection framework. However, challenges remain:
⚠️ Risk Factors to Watch
- Coupang's counter-narrative: If actual Q1 results support the company's recovery claims, public sentiment could shift
- Debate over the law's effectiveness: With the fine cap already public knowledge, companies may calculate it as a manageable cost
- Political variable: With June local elections approaching, the legislative push could become a political flashpoint
References
- Coupang Official Statement: November 29 Incident Update
- Reuters: Coupang Braces for Increased Competition Amid Data Breach Fallout (Feb 26)
- Chosun Ilbo English: Taiwan Breach Confirmed (Feb 26)
- TechCrunch: More U.S. Investors Sue South Korean Government Over Coupang Breach (Feb 12)
Image source: Wikimedia Commons (CC BY-SA 4.0)