Skip to main content
VitalKorea

"Why Only Hit Coupang?" vs "They Deserve It": Anatomy of Korean-Style Anger

We dissect the reality of the anger surrounding the Coupang data breach, where 33.7 million personal records were leaked. Will the 'public shaming' style criticism toward Coupang lead to system improvement, or will it end as just another political show? We seek fundamental solutions through the 17-year history of repeated data leaks.

Share
Published on · 20 min read
Illustration depicted a man tied up on a straw mat being beaten with clubs by people in traditional Korean attire, symbolizing 'Meongseok-mali' or public shaming
Image: This image is for illustrative purposes only.

33.7 Million Records Leaked, And What We Are Missing

I bought things from Coupang. I used it often because Rocket Delivery was convenient. I got used to that magical service where if I order at dawn, it arrives in the morning.

Then one day, a text message came.

“Customer’s personal information has been leaked.”

My name, email, delivery address, and common entrance password might have flowed somewhere. It means someone might know the password to my front door. I got goosebumps.

33.7 million people. That’s 3 out of 4 adults in South Korea. We are all victims. We have the right to be angry.

But watching the situation unfolding now, I feel a strange sense of dissonance.

Pouring Criticism and ‘Show’ Responses

The media hits Coupang. New articles pour out every day. The National Assembly holds a joint hearing with 6 standing committees allied. The Democratic Party of Korea proposes the ‘Kim Bom-suk Entry Ban Act’. They want to permanently ban him from entering the country like Steve Yoo (Yoo Seung-jun). Over 650,000 people flocked to the class action online cafe. Everyone is busy throwing stones at Coupang.

Coupang belatedly announced a compensation plan. They said it was 50,000 won per person, totaling 1.685 trillion won. They promoted it as the largest preemptive compensation ever. But when opened, the reality was different. The amount actually usable on Coupang was only 5,000 won. The rest was 20,000 won on Coupang Travel, 20,000 won on Coupang R.Lux (luxury goods), and 5,000 won on Coupang Eats.

Coupang Travel? Coupang R.Lux? Most consumers don’t even know what those are. Sarcasm emerged: “Written as compensation, read as marketing.” Victims were furious. Reactions poured in saying, “Does shooting coupons solve having personal info stolen?”

Kim Bom-suk, Chairman of the Board of Coupang Inc., refused to attend the National Assembly hearing. He submitted a statement of non-attendance citing ‘overseas business schedule’. The National Assembly filed a complaint against him for violating the Act on Testimony and Appraisal Before the National Assembly. They stepped up saying they would review issuing an order of accompaniment, a state investigation, and even an entry ban.

Let’s be clear. Coupang was wrong.

One former employee accessed customer data without authorization for about 5 months. Coupang failed to detect it. They stated they only recognized the leak after receiving a blackmail email on November 18. 5 months. Nearly half a year. During that period, information of 33.7 million people was accessed without authorization. This is serious negligence in security management.

Even after recognizing the leak, Coupang’s response had many problems. The Personal Information Protection Commission (PIPC) demanded a correction and re-notification within 7 days, saying Coupang’s initial notification content was inaccurate. The police expressed concern over the possibility of evidence destruction, saying Coupang’s ‘self-forensics’ proceeded without cooperation in the investigation. The difference in nuance between the Korean and English versions of the statement Coupang released on December 25 was also an act that betrayed trust.

Coupang deserves criticism. They should pay fines, compensate victims, and strengthen security systems. The homeowner who didn’t lock the door properly when a thief entered also has responsibility. That is correct.

But look at the scene unfolding now.

Rather than efforts to catch the thief, all energy is focused on publicly executing the homeowner. The media excavates new ‘charges’ against Coupang every day. The National Assembly holds hearings and yells. The public flocks to class action cafes. Everyone is busy throwing stones at Coupang.

Meanwhile, the truly important questions are being buried.

Why has this been repeating for 17 years? How can we ensure this never happens again? How will we strengthen the neighborhood’s overall security system so thieves don’t enter?

The 17-Year Repeated History of ‘Da Capo’

Let’s go back in time.

There was the Auction hacking incident. 18 million people’s personal information was stolen. About 146,000 people participated in a class action, and the lawsuit value reached 157 billion won. The result? The Supreme Court ruled “Auction has no liability for compensation.” Victims received not a single penny.

There was also the Nate/Cyworld hacking incident. 35 million people’s personal information was leaked. At the time, this was a scale equivalent to 70% of the entire South Korean population. The result? “SK Communications has no liability for compensation.” Victims received not a single penny.

The 3 Card Companies incident was even more shocking. A total of 105.8 million cases of personal information were leaked from KB Kookmin Card, NH Nonghyup Card, and Lotte Card. It was the largest scale in South Korean history. This time, the court acknowledged the companies’ liability for compensation. How much did they get? 100,000 won per person. And that was only received after several years of litigation.

The Interpark incident, the LG Uplus incident, up to the SK Telecom USIM hacking incident that broke early this year. And now Coupang.

17 years have passed. What has changed?

Personal information keeps getting stolen, companies pay a few billion won in fines and move on, and victims get 100,000 won or nothing. And we get angry again finding the next target.

Back then, the media hit those companies too. The National Assembly held hearings. The people were angry. And after a few months, they forgot. The system did not change.

Coupang will likely be the same.

‘Chewing Gum Price’ Fines and Corporate Cost Calculation

According to Hankyoreh reporting, the total personal information leaked over the past 5 years is 109,164,950 cases. The total amount of fines imposed by the Personal Information Protection Commission during the same period is about 360 billion won. If you calculate it, the fine per case is only about 3,300 won.

One case of my information is 3,300 won.

What about the U.S.? The U.S. Federal Trade Commission (FTC) imposed a $5 billion fine on Facebook (now Meta). That’s about 5.9 trillion won in our money. In the Equifax data breach incident, a settlement of $700 million was set.

South Korea? The 134.8 billion won imposed on SK Telecom is the all-time high. Under current law, there is no possibility of trillions of won being imposed. Because there is no basis to impose that much.

From a company’s perspective, fines are just a ‘cost’. If paying fines after a leak is cheaper than investing in security, who would invest in security?

But how many media reports point out this structural problem? How many National Assembly members urge the introduction of a punitive damages system? How loud are the voices of civic groups demanding the strengthening of the PIPC’s supervisory capabilities?

Articles hitting Coupang overflow. Because they get clicks. Articles demanding system improvement are hard to find. Because they don’t get clicks.

The Hearing: A ‘Yelling Show’ Without Solutions

The National Assembly decided to hold a joint hearing involving 6 standing committees in response to the Coupang crisis. It’s an unprecedented large-scale hearing. On the surface, it looks impressive.

But let’s ask. What is the purpose of this hearing?

Since when did the South Korean National Assembly hearing become ‘a place to yell at someone’ instead of ‘a place to find solutions’?

Members sit in front of microphones and shout at witnesses. Cameras roll. That scene goes on the news. It goes up on YouTube. Titles like “Who scolded whom severely”, “Who made whom mute” are attached. Views go up. The member’s approval rating goes up.

What is the essence of a hearing? To identify the cause of the problem and prepare measures to prevent recurrence. To reveal the truth and improve the system. But have you ever seen such discussions take place in a South Korean hearing?

The biggest characteristics of U.S. hearings are a thorough verification system and no time constraints. In the U.S., before a confirmation hearing, the FBI, IRS, and Office of Government Ethics are mobilized to thoroughly verify the candidate. They investigate 233 items over 2 weeks. In the U.S. Secretary of State Hillary Clinton’s hearing, questions were mainly about policies, operation plans of the State Department, and U.S. foreign policy.

South Korea? Members ask questions directly, but a significant number of those questions are rhetorical questions with answers already decided. “You did wrong, right?”, “Isn’t this deceiving the people?”, “Do you reflect on your actions?” What answer do they expect to these questions? That is not a question, it’s a sentence.

For members, a hearing is an opportunity to promote themselves. An opportunity to paint a picture in front of the public saying “I am just, and that witness is a bad person.” That scene goes on the news, spreads on SNS, and supporters cheer. It becomes votes in the next election.

So members competitively raise their voices louder. They reprimand more strongly. They attack more sharply. Who puts the witness in more trouble becomes the standard of competition. Finding a solution is outside their interest. Improving the system is not interesting. Because what viewers want is the ‘hitting scene’.

The Coupang hearing will be no different.

Members will shout at Coupang officials. “How could you not know for 5 months that 33.7 million people’s information was stolen!”, “Are you mocking the people!”, “Do you repent!” Cameras will catch that scene. It will be on the news. It will go up on YouTube. The members’ approval ratings will go up.

And after the hearing ends?

Nothing will change.

Technical analysis on why the unauthorized access to 33.7 million people’s information by a former employee for 5 months was not detected will not happen. There will be no professional discussion on what the loopholes of the current ISMS (Information Security Management System) certification system are. Alternatives on how to strengthen the supervisory capabilities of the Personal Information Protection Commission will not be presented. Agreement on when to introduce a punitive damages system will not be reached either.

The hearing ends, members go back to their districts, Coupang pays the fine, and victims will get about 100,000 won or nothing years later.

A real hearing should be a place to reveal “why this happened” and discuss “how to ensure it doesn’t happen again”. True accountability starts with specific questions. “What is the technical cause for failing to detect abnormal data access for 5 months?”, “What are the loopholes in the current ISMS certification standards that failed to prevent this accident?”, “Why was this problem not found in the PIPC’s regular inspection?”, “What are the expected effects and side effects when introducing a punitive damages system?”

How many members will ask such questions? Such questions don’t appear on the news. YouTube views don’t go up either. They don’t get ‘likes’ as much as yelling scenes.

So South Korean hearings don’t change. As long as yelling translates to votes.

What will change if Kim Bom-suk attends the hearing? If members shout “Why didn’t you come!”, “Are you ignoring the people!” at him, will personal information leaks be blocked? If he bows his head and apologizes, will my common entrance password become safe?

If the purpose of the hearing is to relieve anger, it is not a hearing but a group therapy session. If the purpose of the hearing is the members’ political gain, it is not a hearing but an election campaign.

The Media and the Public’s Misguided Anger

What is the role of the media?

To monitor power, reveal truth, and form a public sphere. But what is the media doing right now?

Articles criticizing Coupang pour out by the dozens every day. Kim Bom-suk’s assets, his family, his past remarks, Coupang’s labor environment, Coupang’s lobbying allegations. They dig into Coupang from all angles. Readers click. Ad revenue goes up.

But how many articles ask “Why do personal information leak accidents repeat for 17 years”? How many investigative reports track “Is the government’s personal information protection policy effective”? How many feature articles ask “Why has the punitive damages system not been introduced yet”?

Almost none. Because they don’t get clicks.

The media might think they are realizing justice by hitting Coupang. But that is a delusion. What the media should truly do is not hit one company called Coupang, but dig into the system’s problems of why this happens repeatedly.

There is a house where a thief entered. Is the media’s job to dig up the homeowner’s past deeds, expose how the homeowner managed door locks daily, and write articles doubting the homeowner’s character? Or is it to track why the neighborhood’s overall security system is lax, why the police don’t patrol properly, and why the law punishing thieves is so weak?

Right now, the media is immersed in the former. The latter is of no interest.

Time to Stop ‘Public Shaming’ and Change the System

The public’s anger is the same.

650,000 people gathered in the class action cafe. If each person gets 1 million won in compensation, that’s 65 trillion won. Lawyers say it’s an “all-time lawsuit”.

But look at the past.

Auction 146,000 people, total loss. Received nothing. Nate tens of thousands of people, total loss. Received nothing. 3 Card Companies hundreds of thousands of people, 100,000 won per person. That too after years of litigation.

The Coupang lawsuit is also highly likely to have a similar result. The police announced in a complete enumeration survey that they have not found any suspected cases of secondary damage so far. If this is true? The possibility increases that the court will deny liability for compensation saying “specific damage has not been proven”.

What will the 650,000 people participating in the class action gain years later? Probably 100,000 won. It’s fortunate if they even get that.

Where would it be more effective to use that energy? Participating in the Coupang class action, or pressuring National Assembly members to “introduce a punitive damages system”? Which is more effective?

Of course, we must do both. Holding Coupang accountable is also important. But if we don’t change the system, the same thing will repeat. If it ends with receiving 100,000 won from Coupang, we have to participate in another class action when information is stolen from another company next year. We have to wait another few years to get another 100,000 won.

Is this what we want?

In past large-scale personal information leak incidents, has a major shareholder ever attended a hearing?

Did the major shareholders of KB Financial Group, NongHyup Financial Group, or Lotte attend during the 3 Card Companies crisis? Did the major shareholder of SK Group attend during the Nate crisis? Was Chairman Chey Tae-won called to a hearing during the SK Telecom crisis?

If the response to Coupang is particularly hardline, is it because Coupang did something worse than other companies? Or is it because Coupang is a ‘good target to hit’?

Coupang is a U.S. corporation. Kim Bom-suk is a U.S. national. He does not reside in Korea. The expression ‘black-haired foreigner’ comes out. Pressure that cannot be easily applied to domestic chaebol heads can be applied to Coupang.

Politically too, Coupang is a ‘safe’ target. Hitting Coupang doesn’t cause much political backlash. Rather, one can gain popularity. If one hits SK or Samsung with the same intensity? That is a different story.

One reason criticism of Coupang is intense is the negative image Coupang has built up. Deaths of logistics center workers, allegations of subcontracting gapjil (abuse of power), lawsuits against media, controversy over recruiting high-ranking public officials. These ‘karma’ exploded into explosive criticism in this crisis.

However, labor environment issues and personal information leaks are separate issues. Subcontracting gapjil and security management negligence are also separate. Past wrongs do not justify excessive criticism of the current incident. The logic that “Coupang is a bad company so it’s okay to hit them all we want” is dangerous.

Coupang did wrong so they should be criticized. That is correct. But it shouldn’t end with criticizing ‘only’ Coupang. The system’s problems must be pointed out together. Otherwise, we repeat the work of finding a new ‘bad company’ and throwing stones every time.

Kim Bom-suk is a ‘Major Shareholder’, not a ‘CEO’.

He stepped down from the position of registered director and CEO of the Korean entity. The CEO of the Korean entity currently exists separately. Coupang, Inc., established in Delaware, USA, is the top holding company, and Kim Bom-suk is the Chairman of its Board. It is clear that he is the de facto ruler holding over 70% of voting rights through Class B shares.

The Act on Testimony and Appraisal Before the National Assembly stipulates that “When a person receives a demand for attendance as a witness in the National Assembly, anyone must comply.” Legally, Kim Bom-suk also has an obligation to attend. His refusal to attend deserves criticism.

But let’s ask here too. What changes if Kim Bom-suk is banned from entering the country?

Banning Steve Yoo from entering was a social sanction for draft dodging. What is banning Kim Bom-suk a sanction for? Non-attendance at a hearing? Is that a matter as grave as draft dodging?

Of course, ignoring the National Assembly is wrong. But is the extreme measure of an entry ban an appropriate response? Is it a measure to solve the problem, or a measure for a political show?

If Kim Bom-suk is banned from entry, the media will splash it across the front pages. The people will feel gratified. Members will celebrate saying “We did it.”

And personal information leaks will continue. The system will not change.

We are always like this.

We get angry when an incident breaks. The media focuses on a specific company or person. The National Assembly holds a hearing. Citizens participate in class actions. Criticism pours out on SNS.

And after a few months, we forget. When the next incident breaks, we get angry again. We find another target and throw stones. The system does not change. The law is not amended.

Auction victims received nothing. Nate victims also received nothing. 3 Card Companies victims received 100,000 won. How much will Coupang victims receive? It will likely be similar.

In the meantime, another leak accident will break out in another company. We will get angry again. Another hearing will be held. Another class action will begin.

And the system will not change.

Hitting Coupang is easy. Shouting to ban Kim Bom-suk from entry is easy. Participating in a class action is also easy.

Changing the system is hard. Pressuring the National Assembly to introduce a punitive damages system is hard. Pressuring the government to strengthen the PIPC’s supervisory capabilities is hard. Demanding the substantiation of the ISMS certification system is hard.

We are doing only the easy things.

It is irresponsible to only criticize and not offer alternatives.

What should be done?

A punitive damages system must be introduced. Current fines are just a ‘cost’ to companies. Paying fines after a leak is cheaper than investing in security. This structure must be changed. It should be possible to impose 10%, 20% of sales as fines.

The supervisory capabilities of the Personal Information Protection Commission must be strengthened. Currently, the PIPC lacks budget and manpower. It is insufficient to supervise thousands of companies. Budgets must be increased, and professional personnel must be expanded.

The ISMS certification system must be substantiated. Currently, ISMS certification ends as a formal procedure. Large-scale leak accidents occur even in certified companies. Certification standards must be strengthened, and post-inspection must be mandated.

A class action system (opt-out) must be introduced. Currently, class actions (securities-related only, generally group litigation in Korea requires opt-in) require individual victims to participate. It costs a lot of time and money. If a class action system is introduced properly, consumer groups can file lawsuits as representatives.

Which of these is being discussed in the National Assembly? Which is a priority in government policy? Which is receiving the spotlight from the media?

I don’t know. I only see news hitting Coupang.

I am also a victim. One of 33.7 million people. I am angry.

But my anger is not directed only at Coupang.

It is directed at the media that deludes itself into thinking it realizes justice by hitting Coupang. It is directed at the National Assembly members who think they did their job by yelling at hearings. It is directed at ourselves who are satisfied thinking we did something by participating in a class action.

Coupang did wrong. They must be criticized. They must take responsibility.

But if we end with only hitting Coupang, we cannot change anything. If information is stolen from another company next year, we will hit that company again. Another hearing will be held. Another class action will begin. We will get angry again. We will forget again.

A thief entered. It is true the homeowner neglected to lock the door. But isn’t catching the thief and strengthening the neighborhood’s overall security system more important?

Right now, we are busy publicly executing the homeowner. We don’t even care where the thief went. We don’t even touch the security system.

This is the Korean-style problem solving. Without touching the system, we put one person in the square and do ‘Meongseok-mali’ (public shaming/beating).

The public always enjoys putting one person in the square and shaming them. Today it is Coupang. Tomorrow it will be someone else. The spectators in the square clap, pour out anger, and delude themselves that justice has been realized.

But justice is realized when the system changes. It is realized when the next victim does not emerge.

Nothing changes with public shaming. My information does not come back. It does not prevent the next 33.7 million people.

Without improving the system, we only try to punish. The public always enjoys putting one person in the square and shaming them.

Until when?

References and Citations

News Reports

  • KBS News, “‘Coupang Joint Hearing’ to be held on 30-31st… 6 Standing Committees Participating”, 2025.12.23. Link
  • Maeil Business Newspaper, “Like ‘Draft Dodger’ Steve Yoo… ‘Coupang Kim Bom-suk Entry Ban Act’ Proposed”, 2025.12.20. Link
  • MINBYUN - Lawyers for a Democratic Society, “620 Citizens Apply for Collective Dispute Mediation on Coupang Personal Info Leak”, 2025.12.10. Link
  • JoongAng Ilbo, “Coupang’s Weird ‘50,000 Won Per Person’ Compensation… Only 5,000 Won Usable on Coupang, Why”, 2025.12.29. Link
  • Hankyoreh, “Coupang R.Lux? Don’t Even Know What It Is… ‘Fake 50,000 Won’ Trick Compensation Growing Anger”, 2025.12.29. Link
  • Hankyoreh, “Kim Bom-suk, Reluctantly Apologizes 29 Days After ‘Coupang Crisis’… Sticking to ‘Hearing Non-Attendance’”, 2025.12.28. Link
  • Namuwiki, “Coupang Large-Scale Personal Information Leak Incident” Link

Hearing System Related

  • Sunday Journal USA, “[Special Series 1] Problems with the Korean Confirmation Hearing System”, 2019.09.12. Link
  • Korea Legislation Research Institute, “Comparative Legal Study on Confirmation Hearing System” Link

Statistics and Government Data

  • Personal Information Protection Commission, “Analysis of 2024 Leak Report Trends”, 2025.03.
  • Korea Internet & Security Agency (KISA), Cyber Infringement Accident Report Statistics
  • Index Korea, Personal Information Infringement Report/Consultation Count Statistics

Precedents

  • Supreme Court Ruling 2015Da24904, Jan 25, 2018 (Nate Personal Information Leak Case)
  • Supreme Court Ruling 2018Da214142, Dec 28, 2018 (Standards for Compensation for Personal Information Leak Damages)
Coupang data leak Kim Bom-suk class action punitive damages hearing social critique security system public shaming
Share this insight
Lee Junho

Lee Junho

Provides information on various assets and investment strategies, exploring ways to pursue stable returns in volatile markets.

View all posts by author →
Categories: Column Coupang data leak Kim Bom-suk

Related reads

Towards a 0% Start Rate: Stopping the Economy in the Name of Safety
Column

Towards a 0% Start Rate: Stopping the Economy in the Name of Safety

12/30/2025
The Trap of Regulation and Vested Interests: Lessons from Gwangju and Korea's Future
Column

The Trap of Regulation and Vested Interests: Lessons from Gwangju and Korea's Future

12/30/2025
Coupang Labor Controversy: The Dark Side of 'Rocket Delivery'
Society

Coupang Labor Controversy: The Dark Side of 'Rocket Delivery'

12/28/2025
Trump's Second Term Tariff Bomb: Why Korean Auto Parts Makers Are Fleeing to Vietnam
Economy

Trump's Second Term Tariff Bomb: Why Korean Auto Parts Makers Are Fleeing to Vietnam

12/29/2025