What happened
South Korean e‑commerce giant Coupang is facing a U.S. securities class action lawsuit following the disclosure of a major cybersecurity breach that exposed personal information of more than 33 million customers. The complaint, filed in federal court in California, alleges that Coupang and senior executives, including CEO and Chairman Bom Kim and CFO Gaurav Anand, misled investors about the company’s cybersecurity practices and failed to disclose the breach in a timely manner under U.S. securities laws. The lawsuit alleges that the company’s U.S. regulatory filings understated its vulnerability to cyberattacks and overstated its safeguards.
Who is affected
- Customers: Personal data, including names, email addresses, delivery addresses, and order histories, was accessed by an unauthorized actor, reportedly a former employee who retained system access for months. Coupang says payment information and login credentials were not compromised.
- Investors: Shareholders who bought Coupang securities between August 6 and December 16, 2025, are the proposed class in the lawsuit, arguing that timely disclosure of the breach would have influenced investment decisions.
- Company leadership: The chief executive of Coupang’s Korean subsidiary, Park Dae‑jun, resigned in the wake of the incident.
Why CISOs should care
This case underscores the growing legal and financial risks of cybersecurity incidents, particularly for publicly listed companies. CISOs should note that:
- Disclosure timing matters: Delayed or incomplete reporting of a breach can trigger investor litigation and regulatory scrutiny.
- Insider threats pose a major risk: The breach reportedly involved a former employee retaining access, highlighting the importance of robust deprovisioning and insider threat controls.
- Reputation and financial impact: Beyond direct remediation costs, breaches can lead to executive turnover, share price declines, and costly legal challenges.
3 Practical actions
- Strengthen access controls and deprovisioning: Implement strict identity and access management (IAM) processes to revoke credentials when staff depart or change roles promptly.
- Review disclosure policies: Work with legal and investor relations teams to ensure breach-reporting protocols align with regulatory requirements across all jurisdictions where your company is listed.
- Enhance monitoring and detection: Deploy advanced monitoring to quickly detect anomalous access and integrate breach response playbooks with corporate communication plans to minimize disclosure delays.