[Digital Today reporter Shin-hye Ahn (안신혜)] Coupang acknowledged there was improper access by a former employee in connection with the findings announced by a joint public-private investigation team on the scale of personal information. It said indications of actual storage and leakage were limited and that no evidence of secondary harm has been confirmed.

Coupang also said 50,000 cases of apartment building common-entrance access codes cited in the investigation report released on Feb. 10 were not true. It said actual access was limited to 2,609 accounts.

In a Feb. 10 statement titled "Coupang's position on the joint public-private investigation team's announcement on the November 2025 data incident investigation," Coupang said a former employee of Chinese nationality last year improperly accessed data containing more than 33 million customer accounts and stored information on about 3,000 accounts. It said the employee, who lived in South Korea, used a self-written software program to carry out about 140 million automated searches. It added there were no signs the data was additionally viewed or used by a third party.

In the statement, Coupang highlighted about 140 million automated data searches, access to user data for about 33 million people, 2,609 cases of access to data containing apartment common-entrance access codes, storage of user data for about 3,000 cases and 0 cases of improper data use.

According to Coupang, the former employee of Chinese nationality carried out about 140 million automated searches using a self-made program while working in South Korea and improperly accessed data containing more than 33 million customer accounts. It said the stored information was limited to about 3,000 accounts and there were no signs a third party additionally viewed or used it. Of the accessed data, 2,609 cases included apartment common-entrance access codes.

Coupang said, based on forensic analysis results it had shared with regulators during the investigation, that all devices used by the former employee to access the information had been seized. It said the secured evidence matches the individual's sworn statement that the person deleted the data after storing information for about 3,000 accounts.

The company said the joint public-private investigation team and the Personal Information Protection Commission, among others, have held the seized devices since Dec. 23 last year. It also said authorities have forensic results showing no personal information of South Korean users is stored on the seized devices.

On the scope of the accessed information, it said it was limited to names, email addresses, phone numbers, delivery addresses, limited order history and some apartment common-entrance access codes. It claimed there was no access to highly sensitive information such as payment information, financial information, user IDs and passwords, and government-issued identification. Coupang said this was verified by security logs from cloud platform provider Akamai and that it provided those logs to the joint public-private investigation team and the Personal Information Protection Commission on Dec. 8 last year.

Coupang also claimed that, unlike the report released on Feb. 10 by the joint public-private investigation team stating that 50,000 searches were conducted for apartment common-entrance access codes, it omitted verification results based on Akamai logs and data analysis showing actual access was limited to 2,609 accounts.

The company also stressed that secondary harm has not been confirmed. Coupang said that, according to analysis by independent security firm CNS, monitoring results from the time the data leak occurred to the present have not identified a single case of dark web activity linked to secondary harm.

According to the company, it receives weekly monitoring results from multiple independent internet security firms that continuously track the dark web, deep web, Telegram and Chinese messaging platforms. Coupang said it has provided the government with related analysis results throughout the investigation process and will continue monitoring and providing updates.

Coupang questioned the police's comment on Dec. 15 last year that it is difficult to be definitive about whether secondary harm occurred. Coupang said the stance changed within 10 days from the police's earlier statement on Dec. 5, based on monitoring results, that no suspected cases of secondary harm were found involving misuse of the types of information leaked from Coupang, such as delivery address and order information. Coupang dismissed the comment, saying there have been no cases of secondary harm confirmed and announced by police up to now, about two months after that remark.

The company said it will continue fully cooperating with the government's investigation, take all necessary steps to prevent additional harm and strengthen its protection system to prevent recurrence. It said it hopes all facts will be clearly revealed and expressed deep regret for causing concern, apologising to everyone affected.