Coupang (NYSE: CPNG) details cybersecurity incident and leadership change

Rhea-AI Filing Summary

Coupang, Inc. reports a material cybersecurity incident at its wholly owned Korean subsidiary, where a former employee may have obtained data linked to up to 33 million customer accounts. The information includes names, phone numbers, delivery addresses, email addresses, and some order histories, but the company states that no banking details, payment card data, or login credentials were accessed.

Coupang disabled the unauthorized access, notified Korean regulators and law enforcement, and warned potentially affected customers, and says its operations have not been materially disrupted. Korean regulators have begun investigations and may impose financial penalties, but Coupang cannot yet estimate any losses. The former CEO of the Korean subsidiary resigned on December 10, 2025, and General Counsel and Chief Administrative Officer Harold L. Rogers is serving as interim CEO.

Positive

• None.

Negative

• Material cybersecurity incident involving unauthorized access to data linked to up to 33 million customer accounts, creating regulatory, legal, and financial risk.
• Regulatory and cost uncertainty as Korean regulators investigate and may impose penalties, while Coupang cannot estimate potential losses.
• Leadership change at key subsidiary with the Korean unit’s former CEO resigning and the group’s General Counsel stepping in as interim CEO during the incident response.

Insights

Cybersecurity and regulatory risk analyst

Large cyber incident exposes customer data and creates regulatory and cost risk.

Coupang discloses a material cybersecurity incident at its Korean subsidiary involving unauthorized access to customer accounts. The company reports that a former employee may have obtained names, phone numbers, delivery addresses, email addresses, and some order histories tied to up to 33 million customer accounts. It emphasizes that banking information, payment card data, and login credentials were not accessed, which reduces direct financial fraud exposure for customers.

Korean regulators and law enforcement have been notified, and regulators have started investigations. Coupang notes that one or more regulators will potentially impose financial penalties but states it cannot reasonably estimate any losses or range of losses. The company also highlights potential diversion of management attention and potentially material financial losses from remediation, regulatory penalties, litigation, customer compensation, and possible revenue impacts.

Coupang states that operations have not been materially disrupted, but the incident still introduces legal, reputational, and financial uncertainty. The resignation of the former chief executive officer of the Korean subsidiary, with General Counsel and Chief Administrative Officer Harold L. Rogers stepping in as interim CEO, adds a leadership transition on top of ongoing forensic and regulatory work, underscoring that this is a negative, thesis-relevant development.

0001834584FALSE00018345842025-12-152025-12-15

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934

December 15, 2025

Date of Report

(Date of earliest event reported)

COUPANG, INC.

(Exact name of registrant as specified in its charter)

Delaware

001-40115

27-2810505

(State or other jurisdiction of incorporation or organization)

(Commission File Number)

(I.R.S. Employer Identification Number)

720 Olive Way, Suite 600

Seattle, Washington 98101

(Address of principal executive offices, including zip code)

(206) 333-3839

(Registrant’s telephone number, including area code)

Not Applicable

(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐ Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐ Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

☐ Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

☐ Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of Each Class

Trading Symbol(s)

Name of Each Exchange on Which Registered

Class A Common Stock, par value $0.0001 per share

CPNG

New York Stock Exchange

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (17 CFR §230.405) or Rule 12b-2 of the Securities Exchange Act of 1934 (17 CFR §240.12b-2).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 1.05. Material Cybersecurity Incidents.

On November 18, 2025, Coupang Corp. (“Coupang Corp.”), a wholly-owned Korean subsidiary of Coupang, Inc. (Coupang Corp., together with Coupang, Inc. (“Coupang, Inc.,” “our,” or “we”) and its subsidiaries and affiliates, “Coupang,”), became aware of a cybersecurity incident involving unauthorized access to customer accounts (the “Incident”). Upon discovery, Coupang activated its incident response processes, disabled the threat actor’s unauthorized access, reported the Incident to the relevant Korean regulatory and law enforcement authorities, and warned customers whose data was potentially accessed.

Based on investigative findings, Coupang has determined that a former employee may have obtained the name, phone number, delivery address, and email address associated with up to 33 million customer accounts, and certain order histories for a subset of the impacted accounts. To Coupang’s knowledge, the former employee has not publicly disclosed the obtained data. No Coupang customers’ banking information, payment card information, or login credentials were obtained or otherwise compromised in the Incident. Coupang is continuing its investigation and has engaged external forensic experts to assist with the investigation. Korean regulators have initiated investigations with which Coupang is fully cooperating. While one or more Korean regulators will potentially impose financial penalties, at this time we cannot reasonably estimate any amount of losses or range of losses that may result from such penalties.

Coupang’s operations have not been materially disrupted. Coupang remains subject to various risks due to the Incident, including diversion of management’s attention and potentially material financial losses resulting from the potential loss of revenue and potential higher expenses, including from remediation, regulatory penalties, and litigation.

The former chief executive officer of Coupang Corp., our Korean subsidiary, resigned on December 10, 2025, and Harold L. Rogers, General Counsel and Chief Administrative Officer of Coupang, Inc., is serving as interim chief executive officer of the Korean subsidiary.

Forward-Looking Statements

This report contains “forward-looking statements” within the meaning of the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995, including but not limited to, statements regarding our expectations regarding the Incident and its impact on Coupang. In some cases, you can identify forward-looking statements because they contain words such as "anticipate," "believe," "contemplate," "continue," "could," "estimate," "expect," "intend," "may," "plan," "potential," "predict," "project," "should," "target," "toward," "will," "shall," "goal," "objective," "seek," "strategy," "future," “opportunity,” “runway,” “trajectory,” or "would," and the negative of these words or other similar terms or expressions. Such forward-looking statements include, but are not limited to, statements regarding the nature and scope of the Incident, the ongoing investigations regarding the Incident, and the impact of the Incident on Coupang. Actual results and outcomes could differ materially for a variety of reasons, including, among others, Coupang’s ongoing assessment of the impacts of the Incident, including the potential discovery of additional information related to the Incident; Coupang’s expectations regarding its ability to contain and remediate the Incident; the magnitude of the potential disruption to Coupang’s business and operations; the impact of the Incident on Coupang’s relationships with customers, employees, merchants, suppliers, advertisers, investors, regulators and governmental authorities; legal, reputational, and financial harm that may result from the Incident, including financial penalties and litigation awards or settlements that may arise from regulatory investigations or litigation in connection with the Incident; distraction of management or other diversion of resources from business operations caused by the Incident; and the potentially material financial impact of the potential loss of revenue and potential higher expenses, including from remediation, regulatory penalties, litigation, customer compensation, or other additional expenses that may be incurred and borne by Coupang in connection with the Incident. Coupang is also subject to other risks and uncertainties. For additional information on other potential risks and uncertainties that could affect Coupang, please see our most recent Annual Report on Form 10-K and subsequent SEC filings. All forward-looking statements in this report are based on information available to Coupang and assumptions and beliefs as of the date hereof, and Coupang disclaims any obligation to update any forward-looking statements, except as required by law. You should not place undue reliance on our forward-looking statements.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

COUPANG, INC.
By:			/s/ Harold L. Rogers
Name:			Harold L. Rogers
Title:			General Counsel and Chief Administrative Officer

Dated: December 16, 2025

FAQ

What cybersecurity incident did Coupang (CPNG) report in this 8-K?

Coupang reports a material cybersecurity incident at its wholly owned Korean subsidiary, Coupang Corp., involving unauthorized access to customer accounts by a former employee.

How many Coupang (CPNG) customer accounts were affected and what data was involved?

Coupang states that a former employee may have obtained data associated with up to 33 million customer accounts, including names, phone numbers, delivery addresses, email addresses, and certain order histories for a subset of those accounts.

Were Coupang (CPNG) customers' banking or login details compromised?

According to Coupang, no banking information, payment card information, or login credentials for customers were obtained or otherwise compromised in the incident.

How has the cybersecurity incident affected Coupang’s (CPNG) operations?

Coupang states that its operations have not been materially disrupted. However, it notes risks including diversion of management’s attention and potentially material financial losses from possible revenue impacts and higher expenses.

What regulatory and financial risks does Coupang (CPNG) face from this incident?

Korean regulators have initiated investigations, and Coupang indicates that one or more regulators will potentially impose financial penalties, though it cannot reasonably estimate any losses or range of losses at this time. The company also cites potential costs tied to remediation, litigation, and customer compensation.

Did the cybersecurity incident lead to leadership changes at Coupang’s Korean subsidiary?

Yes. The former chief executive officer of Coupang Corp., the Korean subsidiary, resigned on December 10, 2025, and Harold L. Rogers, General Counsel and Chief Administrative Officer of Coupang, Inc., is serving as interim chief executive officer of the subsidiary.