my timesThe Korea Times
  1. Economy
  2. Policy

Coupang may be penalized by US SEC over inadequate disclosure

Listen
By Yi Whan-woo
  • Published Dec 3, 2025 3:56 pm KST

Company fails to inform investors of data leak in time

Members of People’s Solidarity for Participatory Democracy and other civic groups hold a protest outside the company’s offices in Seoul’s Songpa District, Wednesday, calling on Coupang to apologize and compensate customers for the massive data breach. Yonhap

Members of People’s Solidarity for Participatory Democracy and other civic groups hold a protest outside the company’s offices in Seoul’s Songpa District, Wednesday, calling on Coupang to apologize and compensate customers for the massive data breach. Yonhap

Coupang, Korea’s largest e-commerce retailer, may face sanctions from the U.S. Securities and Exchange Commission (SEC) for failing to properly inform investors about its recent massive data breach, market observers said Wednesday.

Although its sales mostly come from Korea, Coupang is classified as a U.S. company because it is wholly owned by Coupang Inc., which is headquartered in Seattle, Washington. Coupang Inc. is also listed on Nasdaq.

The speculation follows recent revelations that the information of 33.7 million customers has been leaked, allegedly by a former employee, from June through November.

The SEC’s mandate includes enforcing the disclosure of business information that could influence a company’s share price.

“Under these circumstances, the SEC has sufficient grounds to penalize Coupang for failing to comply with the commission’s cybersecurity disclosure rules concerning the massive data leak,” Jung Eui-jung, head of the Korean Stockholders’ Alliance, said. “Such noncompliance may be met with strict regulatory action, as it could adversely impact the interests of Coupang Inc.’s shareholders.”

Jung referred to Coupang’s failure to disclose the customer data breach to the U.S. securities market even after it first became aware of the incident on Nov. 18.

This is a violation of SEC regulations, which state: “Public companies must provide the required cybersecurity incident disclosure within four business days after the company determines the incident to be material.”

The regulation further requires companies to “describe the material aspects of the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact.”

Coupang first reported the case to the Korea Internet & Security Agency on Nov. 18. At the time, the company said it had detected a data breach affecting 4,500 customers — a figure that was later revised sharply upward to 33.7 million in an updated finding announced last Saturday.

An economics professor, who declined to be named, said the 33.7 million figure represents roughly three out of every four Korean adults, meaning the incident could significantly affect Coupang Inc.’s sales as well as its stock price.

In its 2025 sales report submitted to the SEC, Coupang Inc. stated that its 2024 annual revenue reached a record $30.3 billion, with about 90 percent coming from Korea.

“The company’s heavy dependence on the Korean market exposes it to considerable structural risk, which in turn can undermine its share price,” the professor said.

Coupang Inc.’s share price dropped 5.36 percent to close at $26.65, Monday, after news of the breach spread globally.

The stock inched up 0.22 percent to finish at $26.71 on Tuesday, but the professor warned that the company “remains at risk of further decline as the case continues to unfold.”