Law Firm Investigates Coupang Directors
A shareholder litigation law firm has launched an investigation into whether certain officers and directors at e-commerce giant Coupang, Inc. (CPNG) breached their fiduciary duties. The probe follows a federal securities lawsuit filed against insiders at the company.
The investigation into Coupang's leadership is rooted in a massive data breach that began in June 2025 but was only discovered internally on November 18, 2025. A former employee exploited unrevoked access to the personal data of approximately 33.7 million users, exposing names, phone numbers, email addresses, and shipping details. South Korean authorities were notified on November 19, 2025, more than 53 hours after internal discovery, exceeding the country's 24-hour mandatory reporting window. The company's public disclosure of the full scope of the breach did not occur until November 29, 2025. This delay is a central point in the federal securities lawsuit, which alleges that the company failed to file a timely report with the U.S. Securities and Exchange Commission. The breach has been characterized by a South Korean government-led investigation as a "management problem" rather than a sophisticated cyberattack, highlighting failures in internal controls and offboarding processes. Allegedly, a developer who was fired in January 2025 retained access to authentication tokens, which were used to access the user data months later. In the immediate aftermath, Park Dae-jun, the CEO of Coupang's Korean operations, resigned on December 10, 2025, to take responsibility for the breach and the company's response. The U.S.-based parent company appointed its Chief Administrative Officer, Harold Rogers, as interim CEO to manage the crisis. The investigation into the directors' fiduciary duties will likely scrutinize whether they exercised reasonable oversight over cybersecurity risks. A breach of these duties can occur if leadership fails to implement adequate security systems, leading to personal liability for the harm caused to the corporation. In response to the incident, Coupang announced a compensation plan valued at approximately $1.17 billion, offering vouchers to affected users. However, this move drew criticism from lawmakers and consumer groups who argued it was more of a marketing strategy to keep funds within Coupang's ecosystem rather than genuine restitution. Coupang and the South Korean government have disputed the extent of the damage. While the government maintains that data from over 33 million users was exposed, Coupang has claimed the former employee only saved records from about 3,000 accounts, which were later deleted. This discrepancy is a key point of contention in the ongoing legal battles.
