E-commerce giant Coupang, known as the “Amazon of South Korea”, has issued a new customer notice confirming that an additional 165,000 account records were leaked in its November 2025 data breach, while South Korea’s National Intelligence Service (NIS) has publicly accused the company’s interim CEO of making false statements to lawmakers—deepening a crisis that is increasingly defined by trust, transparency, and customer experience failures.
In a notice sent to customers, Coupang said the disclosure reflects newly confirmed findings from an ongoing investigation rather than a fresh incident. The company found in November that the breach involved 33.7 million customer accounts, affecting a sizeable portion of South Korea’s population of 52 million. Coupang stated:
“This notice relates to the personal information leak incident that occurred in November 2025. It is not a new occurrence, but rather additional findings confirmed regarding that event.”
The company added that it blocked the abnormal access route immediately after discovering it and has been “continuously cooperating with investigations by relevant authorities, such as the joint public-private investigation team and the Personal Information Protection Commission.”
According to the notice, authorities determined that approximately 165,000 additional records were exposed, consisting of “address book data entered by customers (names, phone numbers, addresses).”
Coupang said it is notifying affected users “following the recommendation of the Personal Information Protection Commission,” and stressed that “payment and login information, as well as common entrance passwords, emails, and order lists, were not leaked.”
CX Fallout From an Expanding Timeline
From a customer experience perspective, the updated disclosure reinforces the uncertainty that many users have faced since the breach first surfaced. While Coupang said it has found no evidence of secondary damage so far, the need for repeated notifications has increased anxiety among customers who believed the scope of the incident had already been fully disclosed.
The breach has caused a public backlash that has seen Coupang’s active user base drop and the resignation of the company’s CEO.
Coupang’s monthly active users dropped by 1 million in January, a fall that was 10 times larger than the drop recorded between November and December, according to South Korean market intelligence firm Wiseapp.Retail.
Coupang said it will offer purchase vouchers to customers affected by the breach and repeated its apology, telling users:
“We once again sincerely apologize for causing concern to our customers.”
It has also set up a dedicated consultation line at its Personal Information Protection Center.
The retailer said it has tightened internal monitoring and put an emergency response system in place, while urging customers to stay alert for phishing and impersonation attempts. Users were advised to avoid suspicious links, double-check official communications, and be cautious of calls or messages posing as delivery drivers, recruiters, or product reviewers.
Government Accuses Coupang CEO of False Testimony
As customers absorb yet another update, Coupang is now facing a public credibility fight with the South Korean government. In a blunt statement, the National Intelligence Service accused Coupang’s interim CEO, Harold Rogers, of making “clearly false” statements during a December 30 joint hearing of six National Assembly committees and said it has asked lawmakers to pursue perjury charges under the Act on Testimony and Appraisal Before the National Assembly.
“The NIS strictly warns Coupang that such false remarks by the Coupang CEO are a serious matter that undermines trust in state agencies. We have requested the National Assembly Coupang Hearing, which holds the authority to file charges, to charge the Coupang CEO with perjury.”
The agency flatly rejected claims that it directed Coupang’s internal investigation, stating, “The claim by the Coupang CEO that ‘we did not investigate internally but investigated according to the instructions and orders of the NIS’ is completely untrue.” Aside from requesting materials, the NIS said it gave no instructions, orders, or permissions to the company.
The intelligence service also denied that it told Coupang to contact the alleged leaker. “On the contrary, regarding Coupang’s inquiry for an opinion on ‘contacting the leaker,’ the NIS emphasized several times that ‘it is correct for Coupang to make the final judgment,’” the statement said.
The NIS said Coupang had already cloned the leaker’s hard drive before the agency became involved, noting that the company created an image copy on December 15 and had already imaged the equipment before handing over the original to authorities.
Rogers has been called to appear at the Seoul Metropolitan Police Agency on Friday for questioning, according to a report by the state-owned Yonhap news agency. That follows 12 hours of questioning last Friday over obstruction of justice allegations. Rogers had defied two previous police summons and left the country in early January.
Restoring Customer Trust Is Coupang’s Biggest Challenge
For customers, the expanded breach disclosures and public dispute between Coupang and state authorities further risk fragile customer trust. Each new correction, whether about how much data was exposed, who controlled the investigation, or when key steps were taken, adds to the sense that the full picture is still emerging.
The latest developments emphasize a familiar lesson in large-scale data incidents: credibility is as important as containment. Confidence is hard to rebuild when official accounts are still being challenged. As regulators, intelligence agencies, and customers scrutinize Coupang’s words as closely as its actions, the company’s ability to restore confidence will depend on whether future disclosures feel final, clear, and beyond dispute.
