It is going from bad to worse for Coupang, the South Korean e-commerce leader that suffered a massive data breach in June 2025.
Over the past week, the company was raided by the police seeking security mishaps and lost its CEO.
Coupang’s CEO Replaced by US-Based Executive
South Korean press agency Yonhap reported on December 10 that Coupang Corp.’s CEO, Park Dae-jun, had stepped down as CEO.
This resignation comes a few days after the company revealed that the data leak affected 33.7 million users, which represents nearly two-thirds of the country's population and is much higher than the 4500 accounts initially reported to authorities on November 20.
"I deeply apologize for disappointing the public over the recent data breach and have decided to step down from all my positions to take full responsibility for both the incident and the company's response," Park said in a statement.
Coupang Inc., the US-headquartered parent company, said in a separate press released that it has appointed Harold Rogers, the current chief administrative officer and general counsel, based in Seattle, as interim CEO to lead its South Korean unit's response and address customer concerns.
"I know this situation has been unsettling for many. Our priorities now are clear: address this incident thoroughly, strengthen our information security to prevent recurrence and restore trust," Harold said in his own statement.
Seoul Police Raided Coupang’s Headquarters
The day before the resignation announcement, Yonhap reported that the Seoul Metropolitan Police Agency raided Coupang’s headquarters in southern Seoul to search for internal documents and records related to the breach.
South Korean authorities are investigating potential security vulnerabilities at Coupang while working to identify the individual responsible for the breach.
A search warrant has been issued for a Chinese national and former Coupang employee, who is suspected of violating information and communications network laws and leaking confidential data, according to sources close to the matter cited by Yonhap.
"Based on the secured digital evidence, we plan to comprehensively determine the overall facts of the case, such as the leaker of the personal information as well as the route and cause of the leak," a police official told Yonhap reporters.
South Korea’s Data Regulator Slams Coupang’s Breach Clauses
Finally, Yonhap reported that the Personal Information Protection Commission (PIPC), South Korea's privacy regulator, ordered Coupang Inc. to revise its liability exemption clause for data breaches and simplify its membership cancellation process.
The PIPC revealed that Coupang revised its terms of service in November, introducing a new clause that disclaims responsibility for any harm resulting from unauthorized third-party access to its systems.
This clause, the regulator argued, violates the country’s Personal Information Protection Act as it obscures the company’s accountability in cases of intentional or negligent wrongdoing.
Additionally, the PIPC criticized Coupang for making its account deletion process unnecessarily complicated, effectively blocking users from canceling paid subscriptions before their expiration dates.
The regulator also ordered Coupang to establish a specialized task force to mitigate potential further harm to affected users.