2025-12-16 Coupang, Inc. Cybersecurity Incident

Page last updated on February 20, 2026

Coupang, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2025-12-16 16:13:34 EST.

Company Summary

Coupang, Inc. is a technology and commerce company operating retail e-commerce, restaurant delivery, video streaming, and fintech services (brands include Coupang, Coupang Eats, Coupang Play) and, following its acquisition, the Farfetch luxury marketplace.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date: Unknown
Detected Date: Unknown
Disclosure Date: Unknown
Contained Date: Unknown
Recovered Date: Unknown

Attack Goal: Unknown
Attack Tactics¹: No Attack Tactics Tracked (yet)
Attack Techniques¹: No Attack Techniques Tracked (yet)

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2025-12-16

Coupang, Inc. filed an 8-K at 2025-12-16 16:13:34 EST
Accession Number: 0001834584-25-000196

Item 1.05 Material Cybersecurity Incidents.

On November 18, 2025, Coupang Corp. ("Coupang Corp."), a wholly-owned Korean subsidiary of Coupang, Inc. (Coupang Corp., together with Coupang, Inc. ("Coupang, Inc.," "our," or "we") and its subsidiaries and affiliates, "Coupang,"), became aware of a cybersecurity incident involving unauthorized access to customer accounts (the "Incident"). Upon discovery, Coupang activated its incident response processes, disabled the threat actor's unauthorized access, reported the Incident to the relevant Korean regulatory and law enforcement authorities, and warned customers whose data was potentially accessed.

Based on investigative findings, Coupang has determined that a former employee may have obtained the name, phone number, delivery address, and email address associated with up to 33 million customer accounts, and certain order histories for a subset of the impacted accounts. To Coupang's knowledge, the former employee has not publicly disclosed the obtained data. No Coupang customers' banking information, payment card information, or login credentials were obtained or otherwise compromised in the Incident. Coupang is continuing its investigation and has engaged external forensic experts to assist with the investigation. Korean regulators have initiated investigations with which Coupang is fully cooperating. While one or more Korean regulators will potentially impose financial penalties, at this time we cannot reasonably estimate any amount of losses or range of losses that may result from such penalties.

Coupang's operations have not been materially disrupted. Coupang remains subject to various risks due to the Incident, including diversion of management's attention and potentially material financial losses resulting from the potential loss of revenue and potential higher expenses, including from remediation, regulatory penalties, and litigation.

The former chief executive officer of Coupang Corp., our Korean subsidiary, resigned on December 10, 2025, and Harold L. Rogers, General Counsel and Chief Administrative Officer of Coupang, Inc., is serving as interim chief executive officer of the Korean subsidiary.

8-K filed on 2025-12-29

Coupang, Inc. filed an 8-K at 2025-12-29 16:32:50 EST
Accession Number: 0001834584-25-000202

Item 1.05 Material Cybersecurity Incidents.

On December 24, 2025 (PST) and December 28, 2025 (PST), Coupang Corp., a wholly-owned Korean subsidiary ("Coupang Corp.") of Coupang, Inc. ("Coupang, Inc.," "our," or "we") (Coupang Corp., together with Coupang, Inc. and its subsidiaries and affiliates, "Coupang,"), issued updates (collectively, the "Updates") on the cybersecurity incident (the "Incident") disclosed in the Current Report on Form 8-K filed by Coupang, Inc. with the U.S. Securities and Exchange Commission (the "SEC") on December 16, 2025. The Updates provided, in part, that the perpetrator of the Incident has been identified, is cooperating with Coupang and investigators, and has turned over all devices used in the Incident. Further, the investigation to date indicates that while approximately 33 million accounts were accessed, the perpetrator only saved limited data from approximately 3,000 customer accounts, and such customer data has been deleted without having been shared with a third party. In addition, Coupang Corp. announced a customer compensation program to issue approximately 1.685 trillion won (approximately $1.2 billion) worth of vouchers, starting January 15, 2026, to customers who were notified of the Incident at the end of November 2025 that may be applied towards future Coupang purchases. These vouchers will be reflected as reductions to the selling price and revenue recognized on each corresponding transaction.

Item 7.01 Regulation FD Disclosure.

The investigation regarding the Incident is ongoing. Copies of the Updates are furnished as Exhibit 99.1 to this Current Report on Form 8-K/A. In addition, as part of our ongoing commitment to transparency to our investors, customers, and other stakeholders, we may provide additional updates regarding the Incident and relevant developments at: https://www.aboutcoupang.com or https://news.coupang.com.

In accordance with General Instruction B.2 of Form 8-K, the information in this Item 7.01 and Exhibit 99.1 shall not be deemed to be "filed" for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), or otherwise subject to the liability of that section, and shall not be incorporated by reference into any registration statement or other document filed under the Securities Act of 1933, as amended, or the Exchange Act, except as shall be expressly set forth by specific reference in such filing.

The information that can be accessed through hyperlinks or website addresses included in this Current Report on Form 8-K/A is deemed not to be incorporated in or part of this report.

Company Information