A US federal securities class action lawsuit has alleged that South Korean ecommerce giant Coupang took nearly a month to disclose a massive data breach to regulators, violating SEC rules that require companies to report material cybersecurity incidents within four business days.
The lawsuit, filed December 18, came just two days after Coupang finally submitted a Form 8-K disclosure to the Securities and Exchange Commission — 28 days after discovering the breach on November 18.
The complaint alleges that CEO Bom Kim and CFO Gaurav Anand knew or recklessly disregarded that the company had “inadequate cybersecurity protocols” allowing a former employee to access customer data for nearly six months without detection. The breach exposed personal information from 33.7 million customer accounts, Coupang said.
Disclosure deadline missed
The SEC adopted cybersecurity disclosure rules in July 2023, requiring companies to disclose material incidents within four business days of determining materiality, under item 1.05 of Form 8-K. Companies can delay disclosure only if the US Attorney General determines it poses substantial national security or public safety risks.
The complaint alleges that Coupang did not receive such an exemption. The company should have filed by November 24, following its November 18 discovery of the breach, but waited until December 16.
Between discovery and disclosure, media reports prompted organizational upheaval. Park Dae-jun, CEO of Coupang’s South Korean operations, resigned December 10 after stating he would “take full responsibility for both the incident and the handling of the case.” Harold Rogers, Coupang’s general counsel and chief administrative officer, assumed the role of interim CEO of the Korean subsidiary.
Coupang founder and CEO Bom Kim declined to appear at a South Korean parliamentary hearing about the breach, citing business obligations — a decision lawmakers condemned as a “systematic evasion of corporate responsibility.”
Authentication keys left unrevoked after employee departure
Investigators traced the breach to a former employee who retained valid authentication credentials after leaving the company in 2024, according to statements by South Korean lawmaker Choi Min-hee. The individual, a 43-year-old Chinese national, had worked on authentication management systems and joined Coupang in November 2022.
Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, released analysis results in a November 30 press release pointing to failures in basic security procedures. The company failed to renew or revoke signing keys — the cryptographic credentials used to issue access tokens—when the employee left.
“Abandoning a long-term valid authentication key was not simply a deviation by an internal employee, but the result of organizational and structural problems at Coupang that neglected the authentication system,” Choi said in the press release.
Coupang’s own information to lawmakers indicated the company set token signing key validity periods of five to ten years, with rotation periods varying by key type.
Legal test case for SEC cybersecurity rules
Legal observers noted the Coupang lawsuit appears to be among the first securities class actions directly challenging compliance with the SEC’s 2023 cybersecurity disclosure guidelines.
“This is a specific reason why I find the new Coupang lawsuit particularly interesting, and that is because one of the suit’s major allegations is that the company allegedly failed to make the requisite disclosures under the SEC’s cybersecurity disclosure guidelines,” legal journal, The D&O Diary, wrote in an analysis of the case.
The complaint also alleges Coupang made materially false statements in quarterly reports filed in August and November 2025. Those reports incorporated risk disclosures from the company’s 2024 Annual Report detailing encryption technology and security measures — statements the complaint said “materially understated Coupang’s risk of a material cybersecurity event.”
When Coupang finally filed its Form 8-K, the company stated it had activated incident response procedures, blocked unauthorized access, and reported the incident to Korean authorities. The filing acknowledged Korean regulators “will potentially impose financial penalties” but said the company could not reasonably estimate losses.
Regulatory scrutiny in South Korea
In South Korea, Coupang faces potential fines up to 1.2 trillion won ($814 million) under the Personal Information Protection Act, which requires companies to notify regulators within 24 hours of discovering a breach and maintain appropriate safeguards.
South Korean police raided Coupang’s Seoul headquarters twice as part of their investigation. President Lee Jae Myung called for expanded class action lawsuit provisions, saying “every Korean has been affected” by the breach affecting nearly two-thirds of the country’s 51.7 million population.
The lawsuit seeks to establish a class of investors who purchased Coupang securities between August 6 and December 16. Multiple law firms have announced they are investigating similar claims. A case management conference is scheduled for March 20.
No Responses