The CEO of South Korean e-commerce giant Coupang has resigned amid an escalating backlash over a massive data leak that exposed the personal information of around 33.7 million customers.
Coupang has appointed Harold Rogers, Chief Administrative Officer of its U.S.-based parent company, as interim CEO, the company said in the December 10 announcement.
Park’s departure on December 10 comes less than two weeks after the retailer, known as the Amazon of South Korea, confirmed that customer names, email addresses, phone numbers, shipping addresses and parts of their order histories were leaked in an incident believed to have started in June. Payment information and login credentials were not involved, according to the company.
Park was quoted in the statement:
“I am deeply sorry for disappointing the public with the recent personal information incident. I feel a deep sense of responsibility for the outbreak and the subsequent recovery process, and I have decided to step down from all positions.”
Rogers is tasked with rebuilding customer confidence and coordinating the U.S. parent company’s role in the crisis response. Rogers has been appointed “to proactively address the situation and alleviate customer concerns,” the company stated, positioning customer trust as the central priority.
The interim CEO’s focus will be on “alleviating customer anxiety caused by the personal information leak,” and stabilizing the organization as it addresses “internal and external crises” caused by the breach, the company added
His departure reflects not only the scale of the security failure but also the collapse in public confidence and the widespread perception that Coupang mishandled early communications.
Rogers now faces a frustrated customer base and a rise in users deleting their accounts in response to the breach. After the company botched its apology by leaving promotional metadata in the URL, customers have been even less impressed with how it’s handled the crisis.
Regulatory Pressure Raises the Stakes for Customer Experience
Park’s exit followed a statement by Prime Minister Kim Min-seok earlier in the day declaring that the government would conduct a thorough investigation and take stern action if Coupang is found to have violated data protection law. Police raided Coupang’s Seoul headquarters the previous day, seizing records and digital evidence as part of a widening probe into the leak’s cause and the company’s handling of personal data.
The crisis has prompted the U.S. office of South Korea law firm SJKP to explore a class action lawsuit, as the company is headquartered in Seattle, Washington. And because it is listed on the New York Stock Exchange, Coupang may also face penalties from the U.S. Securities and Exchange Commission (SEC) after it failed to promptly disclose the breach to investors.
Under SEC rules, companies listed on U.S. exchanges must report material cybersecurity incidents within four business days of determining their significance. Coupang notified Korean authorities on November 18 but only later informed U.S. investors, raising questions about compliance.
South Korea’s Personal Information Protection Commission (PIPC) issued a sweeping set of corrective requirements during its December 10 general meeting, stating that Coupang’s past practices may violate multiple provisions of the Personal Information Protection Act.
The PIPC outlined a series of mandatory corrections, starting with a rewrite of Coupang’s Terms of Use, which currently include a 2024 disclaimer saying the company is not responsible for damages caused by illegal third-party access. The regulator also directed the company to simplify its membership withdrawal process after finding it overly complex, with multiple steps, hidden menus and repeated prompts that created unnecessary friction for users, especially those with paid subscriptions.
The commission also ordered improvements to its data leak notifications and secondary-damage prevention efforts, stating that Coupang’s compliance with measures required on December 3 is incomplete. Coupang must keep leak notices active for at least 30 days, bolster its response team and step up monitoring for leaked account data by tracking reports circulating online and on dark web forums. The company is required to report back within seven days detailing how it is mitigating the risks. The PIPC stated:
“The Personal Information Protection Commission (PIPC) recognizes the gravity of this large-scale personal information leak and is closely investigating the circumstances surrounding the leak and any violations of the Personal Information Protection Act.”
A former Coupang employee who maintained unauthorized system access for months is suspected.
Rogers inherits a company under intense domestic and international pressure. Coupang reiterated its apology “for any inconvenience caused by the personal information leak,” and pledged to “strengthen information security to prevent a recurrence and do our best to restore trust.”
Coupang’s next moves will determine whether it can turn a reactive crisis into a long-term commitment to improve its customer experience.
