The Seoul Central District Court’s Civil Division 22, presided over by Judge Park Jeong-ho, held the initial hearing in the damages suit brought by 1,998 plaintiffs, including a user identified as Kang.
The plaintiffs argued that the case is not only about the breach itself but also about Coupang’s inadequate and misleading response afterward, and they cited those failings as grounds for compensation.
“According to the joint public-private investigation team, this incident exposed an unprecedented volume of personal data—about 33.67 million records,” the plaintiffs said. “The core problem was Coupang’s response. The company described the breach as an ‘exposure’ and, in December, abruptly announced that only 3,000 records had been affected.”
They added that Coupang even ran a coupon promotion based on its internal inquiry and repeatedly insisted the leak involved only 3,000 records.
Taking those factors into account, the plaintiffs are seeking 300,000 KRW (approximately 225 USD) per person in damages.
Coupang asked the court to allow the proceedings to account for an ongoing investigation by the Personal Information Protection Commission (PIPC), saying the commission has not yet issued its findings and that any penalties it imposes could prompt the company to file an administrative challenge.
The company also noted that in comparable data-breach cases, administrative proceedings and civil damages suits have moved forward in parallel and said it hopes the same happens here.
The plaintiffs countered that Coupang’s stance amounted to an attempt to delay the trial.
Because the parties differed on how to proceed, the court asked the plaintiffs to submit their proposed procedures to Coupang and requested a written response indicating whether the company would accept those procedures before scheduling the next hearing. The court gave both sides roughly a month to submit their positions.
The court set the next hearing for April 17.
After the hearing, Lee Eun-woo of the Jihyang law firm, who represents the Coupang users, told reporters that the original complaint focused solely on the data breach but that the plaintiffs have since added allegations that Coupang’s post-breach deception amounts to a second wrongful act. Lee said the plaintiffs are also considering amending their claim to seek punitive damages. They plan to base requests for higher awards largely on Coupang’s alleged violation of safety obligations under Article 29 of the Personal Information Protection Act—provisions that, when the revision takes effect on Sept. 11, will allow the government to levy punitive fines.
The joint public-private investigation team found that at the end of November last year, data exposed on Coupang’s “Edit My Information” page included user names and email addresses totaling about 33.67 million records.
On the “Delivery Address List” page, an attacker accessed information—including names, phone numbers, delivery addresses, and building entry codes that had been partially obfuscated with special characters—some 148 million times, the team reported.
Coupang, for its part, has said an internal probe identified only 3,000 accounts linked to a former employee suspected in the breach and that the company deleted other related data. The PIPC continues to investigate the specific circumstances of the leak.
