Home > Business > Industry

Lawsuit threats ramp up over Coupang breach, but history points to diminishing returns

Published: 02 Dec. 2025, 07:00 Updated: 02 Dec. 2025, 08:44

The Coupang company logo is seen at its headquarters in Songpa District, southern Seoul, on Dec. 1. [NEWS1]

Following a massive data breach that exposed the personal information of 33.7 million Coupang customers, the nation's leading e-commerce platform is now facing a growing wave of potential class-action lawsuits. While law firms are actively mobilizing to represent victims, legal experts caution that securing compensation may be a long and difficult process.

Just two days after Coupang disclosed the leak on Saturday, over 10 Naver community forums dedicated to preparing lawsuits had been created as of Monday. One of the largest, “Coupang Hacking Victims Class Action Cafe,” had more than 80,000 members, while another, “Coupang Personal Information Leak Class Action Cafe,” had 70,000. Combined, the total number of users signaling interest in legal action exceeded 200,000.

Law firms are also moving quickly. On Monday, Lawfirm Chung filed a complaint with the Seoul Central District Court on behalf of 14 clients, seeking 200,000 won ($136) per person in damages. The suit was "filed pre-emptively to avoid excessive delays in relief while investigations continue," according to attorney Kwak Jun-ho.

Other firms are still gathering participants. Jihyang Law, which previously handled cases related to data leaks at companies such as Homeplus, announced on Sunday that it would seek damages from Coupang for violating personal data protection laws and began recruiting plaintiffs through online forums and its website.

Attorney Kim Kyeong-ho of Hoin Law Office said his post on Facebook calling for plaintiffs drew 1,650 sign-ups in one day. “Public participation has been explosive,” he wrote, adding that it had become difficult to respond to all inquiries. Attorney Ha Hee-bong of Lawpid Legal Services also announced plans to prepare a joint lawsuit.

The firms claim Coupang failed to properly manage its employees, with an attorney from Jihyang blaming a former employee with Chinese nationality for accessing customer data after leaving the company. They further allege the company neglected basic security measures like access control, log monitoring and data encryption. “This breach was a man-made disaster born of corporate security negligence,” Ha said.

Coupang CEO Park Dae-jun closes his eyes while listening to questions from reporters after attending an emergency meeting held at the Government Complex in central Seoul on Nov. 30 [NEWS1]

Legal limitations and modest compensation

Despite the rapid response, legal analysts say meaningful compensation remains unlikely under Korea’s current legal framework. In past large-scale leaks, including the 2011 SK Communications incident that affected 35 million people, few victims received compensation — and never on the scale of the damage.

This is because Korea lacks a full-fledged class-action system for data privacy cases. Currently, class-action suits are only recognized for violations of the Capital Markets Act. In data breach cases, only plaintiffs who directly participate in the lawsuit are eligible for compensation.

For example, in the 2016 Interpark hack, where the data of 10.3 million users was exposed, only about 2,400 victims joined the lawsuit. Legal experts estimate that less than 1 percent of victims typically take part in such suits. The Coupang incident is expected to follow a similar trend, with far fewer participants than the number of online community members suggests.

Even when companies are found liable, compensation is generally limited to around 100,000 won per person. In the Interpark case, a court awarded 100,000 won per plaintiff after a four-year legal battle. Similarly, a data leak involving three credit card companies resulted in a 100,000 won payout after four years of litigation. Lawyers involved in the current Coupang case are targeting payouts of 100,000 to 200,000 won.

The reporter holds up a Coupang Fresh Bag in front of the company headquarters in Songpa District, southern Seoul, on Dec. 1. [YONHAP]

Coupang’s delayed response may affect outcome

However, some variables in the Coupang case differ from previous incidents. The company reportedly failed to detect the breach for five months — from June until November.

“If Coupang had a proper system for regularly monitoring access logs, it would have been impossible to overlook suspicious foreign access for several months," said Attorney Noh Jung-yeon of Jihyang Law.

If it is confirmed that the breach resulted from an insider and not an external hack, Coupang’s legal liability may increase. In the SK Communications case, the Supreme Court ultimately ruled in the company’s favor, citing the external nature of the hack as a key factor. “Whether the breach was caused by an unavoidable external attack or an internal actor will be a major legal issue,” said one legal expert.

On the other hand, if Coupang’s argument that the leaked data did not include sensitive financial information such as payment or login credentials is accepted by the court, it could result in lower compensation.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KIM JUN-YOUNG [[email protected]]