Asia's most overlooked stocks — delivered weekly

Join 20,000+ investors getting thematic reports, watchlist updates, and curated links across 13 Asian markets

Join Free
Skip to content
Sign In Subscribe
Thematic reportsSouth Korea

Coupang's Cyber Security Incident

Conclusion: Probably not a big deal

 and  Michael Fritzell
4 min read

Table of Contents

Hi! I'm Michael Fritzell. Welcome to another free-to-read edition of Asian Century Stocks – a newsletter about Asian value stocks. First time reading? Sign up here. For a complete list of all previous posts, check out the Table of Contents.

Disclaimer: This article constitutes the author’s personal views and is for entertainment and educational purposes only. It is not to be construed as financial advice in any shape or form. Please do your own research and seek your own advice from a qualified financial advisor. From time to time, the author might hold positions in the below-mentioned stocks consistent with the views and opinions expressed in this article. This is a disclosure, not a recommendation to buy or sell stocks.

On 29 November 2025, South Korean e-commerce company Coupang (CPNG US — US$37 billion) reported a cybersecurity breach, with personal information of millions of customer accounts leaked to third parties.

The stock price dived, eventually falling almost 50% from the peak:

The day after the announcement, Coupang's CEO Park Dae-jun publicly apologized and provided details about the leak. It exposed names, email addresses, phone numbers, delivery addresses, and even door codes.

It turns out the breach was caused by a 43-year-old former employee who hacked into the system from Mainland China and scraped data from internal servers.

Coupang's behavior during the scandal became heavily criticized:

  • Coupang failed to meet the 24-hour legal deadline for reporting a breach to authorities
  • When reporting the breach to the Korean government, Coupang initially said that only 4,536 accounts were affected, not the actual number of 34 million
  • In the public announcement, Park characterized the incident as a "data exposure" rather than a leak
  • Coupang never disclosed the fact that the breach came from an inside employee, a whopping 147 days after he had resigned, and that the downloads took place over a period of five months
  • Furthermore, Coupang removed its apology banner from the website after just 3 days and replaced it with a Christmas sale ad. This angered the general public.
  • CEO Park Dae-jun eventually resigned, leaving new interim CEO Harold Rogers to deal with the fallout from the cybersecurity breach. However, he does not speak Korean, and he had a limited role in the company prior to his appointment. So many concluded that he was simply used to shield the US-based founder, Bom Kim, from any criticism.
Copuang's new interim CEO Harold Rogers in a parliamentary hearing

When an established company's stock price declines by almost 50%, my first instinct is to investigate whether the decline will result in a permanent impairment of capital.

I've seen cybersecurity breaches many times before. For example, here are some of the most recent ones:

I downloaded the stock prices for each publicly listed company on the list, covering 14 calendar days before each incident and 365 calendar days after. This is what the distribution of returns have looked like:

Source: TIKR

The data is noisy, but on average, there has been a ~10% decline in the two months following each incident, followed by an almost complete recovery six months later.

These are, of course, tentative numbers, and the sample is too small to be statistically significant, so take them with a grain of salt. But in any case, I think it's clear that cybersecurity incidents aren't particularly serious. Not in terms of customer perception or investor sentiment, either.

These are tentative numbers and not statistically significant, so take them with a grain of salt. But my main takeaway is that cybersecurity incidents tend not to be that serious in either customer perception or investor sentiment.

So it's surprising that Coupang's stock price sold off this much in response to its cybersecurity incident. I suspect politics is involved, as the scandal has now blown up to unprecedented proportions. It's a huge contrast to when subscription platform Substack reported a leak in early 2026 – nobody batted an eye.

I spoke with Eugene Teo, Microsoft's Chief Security Advisor for Southeast Asia, and asked him what it was about Coupang's case that made the market reaction so severe:

"The Coupang case underscores the importance of maintaining basic cyber hygiene to reduce the likelihood of a cyber incident.

There are two critical control deficiencies we must learn from this case: first, the importance of robust employee offboarding, ensuring access is promptly revoked for departing employees, especially those with privileged access to internal systems. The second is using a Hardware Security Module (HSM) to safeguard digital keys. Because Coupang did not do this, their former employee was able to retain access to their internal systems for months after their departure."

You can find Eugene's take on the Coupang case here.

So it seems like Coupang's internal processes were lacking, to say the least. The fact that Coupang's security budget was only 0.2% is another warning sign. In contrast, Amazon spends more than 1.0%.

Will the impact be long-lasting? Well, judging from high-frequency website traffic data, Coupang's website traffic did decline in early 2026. But there's already a nascent sign of a recovery:

Source: TickerTrends

I think the bottom line is that people's memories are short. And when a service fulfills customer demands far better than the competition, even major cybersecurity incidents are unlikely to permanently impair a business like Coupang.

Get Full Access

Comments

Related

Latest