Seoul: The fallout from the Coupang data breach, which exposed the personal information of 33.7 million users, continues to deepen. Not only were names, addresses, and phone numbers compromised, but also apartment entrance passwords and information on customers who left the platform years ago.

According to Yonhap News Agency, reports have surfaced of abnormal login attempts, overseas payment alerts, and even unauthorized high-value charges on credit cards registered to Coupang accounts. As customers leave the platform, small merchants dependent on Coupang are suffering steep declines in sales.

Despite the scale of what amounts to a national-level security incident, Coupang's response has appeared tepid and at times dismissive. The company removed its apology from the homepage after only two days and has used the term "exposure" instead of "leak," prompting criticism that it is minimizing responsibility. Coupang CEO Park Dae-jun told lawmakers on Dec. 3 that the company would consider compensation, but his remarks remained abstract and did not include concrete plans for relief.

The crisis has exposed structural weaknesses behind Coupang's rapid rise to the top of Korea's e-commerce market. Security oversight and internal controls lagged far behind its expansion. It is troubling that the company failed for five months to detect that a former employee had accessed and leaked customer data, and yet more alarming that the individual logged into the system using a signature key not even held by the corporate representative.

Coupang's inadequate internal controls and cavalier posture are linked to regulatory conditions that helped cement its dominance. Restrictions on large retailers intended to protect small businesses unintentionally strengthened Coupang's market position.

JP Morgan even concluded in a report that customer attrition would be limited because Korea lacks major competitors and consumers are relatively less sensitive about data privacy. Such assessments reflect a market environment in which customer concerns can be dismissed too easily.

The company's dual structure, with its operating base in Korea but parent company, Coupang Inc., incorporated in the United States, has also contributed to the problem. More than 90 percent of its revenue comes from Korea, yet founder Bom Kim stepped down from all board roles in the Korean entity once the Serious Accidents Punishment Act took effect, shielding himself from potential legal liability.

Had a breach of this magnitude occurred in the United States, the company could face astronomical damages, while Korea's penalties remain comparatively modest. Coupang has benefited from regulatory blind spots, while consumers shoulder the consequences.

The government should use this moment to strengthen accountability for data breaches and tighten oversight of major e-commerce platforms. Most of all, Coupang must abandon its dismissive posture and demonstrate responsibility through meaningful compensation, credible prevention measures, and a sincere apology from corporate leadership.