3 Months of Silence Then Admission: The Full Story of Coupang's Hidden Data Breach Affecting 200,000 Taiwan Customers
Coupang admitted that personal data from approximately 200,000 Taiwanese customer accounts was breached — three months after the incident. When it disclosed a breach of 33.7 million Korean accounts in November 2025, it emphasized 'no breach in Taiwan.' On February 25, 2026, it finally came clean and offered NT$1,000 (approx. KRW 45,000) vouchers per affected account.
One-Line Hook: Coupang, which insisted 'Taiwan is safe,' reversed course three months later — 200,000 people's personal data had quietly slipped out.
TL;DR
- On November 29, 2025, Coupang disclosed that 33.7 million Korean customer accounts had been breached, while emphasizing "there was no breach in Taiwan."
- Three months later, on February 25, 2026, Coupang belatedly admitted that approximately 200,000 Taiwan-based accounts were also accessed in the same incident.
- The leaked data was limited to basic information such as names, email addresses, phone numbers, delivery addresses, and order histories. Financial, payment, and password data were not included.
- According to forensic analysis by Google subsidiary Mandiant, only 1 Taiwan account's data was actually saved (downloaded).
- Coupang has offered NT$1,000 (approx. KRW 45,000) vouchers to affected Taiwan customers, with a total compensation package of approximately KRW 9.2 billion.
The Facts: What Happened
The Origin — November 29, 2025
Coupang disclosed that a former employee had unlawfully stolen customer data in Korea. Police investigation found that 33.7 million accounts had been accessed, and Coupang issued an official statement at the time saying "Taiwan services were not affected."
The Reversal — February 25, 2026
Coupang today released the results of a joint investigation with Taiwan's Ministry of Digital Affairs. It was confirmed that approximately 200,000 of the accounts accessed in the Korean breach were Taiwan-based accounts. Coupang has not clearly stated whether it was unaware of this at the time of the initial disclosure in November 2025, or whether it knew but chose not to disclose it.
How Serious Was the Actual Damage?
According to Mandiant's forensic analysis, while 200,000 accounts were accessed, Coupang claims that data from only 1 account was actually saved (downloaded). The company states that the total data saved — including Korea — amounts to approximately 3,000 records. However, critics point out that the distinction between 'access' and 'saving' is not meaningful from a victim's perspective.
Why This Is Surfacing Now
This incident goes beyond a simple data breach — the core controversy is the 'delayed disclosure' and 'reversal of statements.'
- International Regulatory Pressure: Taiwan's Personal Data Protection Act (PDPA) requires notification to authorities within 72 hours of a data breach. Whether the three-month delay constitutes a violation is a key point of contention.
- Intersection with US Trade Disputes: The US Republican Party has characterized Korea's regulation of Coupang as 'discrimination against a US company' and raised the prospect of tariffs. Coupang's admission of poor personal data management effectively validates the Korean National Assembly's regulatory rationale against Coupang.
- Imminent USTR Section 301 Investigation: The timing coincides with the US Trade Representative (USTR) expected to decide in early March whether to launch a Section 301 trade law investigation related to Coupang.
Stakeholders: Who Is Involved
| Party | Position |
|---|---|
| Coupang | Claims it disclosed transparently after completing forensic review; emphasizes actual damage (saved data) was limited |
| Taiwan Ministry of Digital Affairs | Conducted joint investigation with Coupang; approved the findings |
| Affected Taiwan Customers | NT$1,000 (approx. KRW 45,000) vouchers to be issued; claimable from March 8 via Coupang's Taiwan app |
| Korea Personal Information Protection Commission | Sanctions for Korean incident ongoing; possible additional investigation into Taiwan case |
| Mandiant (Google) | Served as independent forensic body to verify credibility of investigation findings |
Outlook: How Long Will This Last?
Short-term (1–2 weeks): High likelihood of class action lawsuits in Taiwan, and renewed debate in the Korean National Assembly over additional Coupang data protection legislation.
Medium-term (1–3 months): Could become a new variable in Korea-US trade tensions, intertwined with the USTR Section 301 investigation results. Taiwan authorities may also announce sanctions regarding potential PDPA violations.
Long-term: This case is likely to be cited as a reference in discussions around strengthening multi-country data breach disclosure standards for global e-commerce operators.
Secondary Issues: Derived Points of Debate
- The Legal Boundary Between 'Access' and 'Saving': Legal scholars argue that mere access may already constitute a personal data violation.
- Adequacy of Compensation: Whether an NT$1,000 voucher (approx. KRW 45,000) constitutes meaningful compensation — including for emotional distress — is unavoidably controversial.
- Multinational Companies' 'Phased Disclosure' Strategy: Critics note a repeated pattern of omitting unfavorable information in initial disclosures, only to admit it later.
Risk Assessment
Checklist: If You're a Coupang User
Reference Links
- Kyunghyang Shinmun: Coupang admits 200,000 Taiwan accounts also breached — belatedly, 3 months later
- Korea Herald: Coupang confirms data breach of 200,000 accounts in Taiwan
- Taiwan News: Coupang to give 200,000 Taiwan users NT$1,000 voucher
- Coupang Official Statement: Update on the November 29 Personal Information Incident
- News1: Coupang proposes KRW 9.2 billion compensation after 200,000 accounts exposed in Taiwan
Image Credit
- Featured image: Lock and key, Wikimedia Commons (CC0 Public Domain)