Coupang interim CEO testifies behind closed doors over breach affecting tens of millions

Harold Rogers, interim chief executive of Coupang’s Korean unit, appeared for a closed-door deposition before the U.S. House Judiciary Committee on Feb. 23 and Feb. 24 as investigators probe a sprawling data breach in South Korea that authorities say affected tens of millions of users. The two-day session signals growing U.S. congressional scrutiny of foreign e-commerce platforms after an incident that has become one of the region’s largest consumer-data compromises.

The closed testimony focused on operational details sought by committee staff, including the scope of the breach, the company’s timeline for detection and disclosure, and what safeguards were in place for cross-border data flows. Committee leaders have said they want to assess how platforms that operate across jurisdictions handle consumer data and whether existing U.S. oversight tools are adequate when the affected infrastructure and legal frameworks are overseas.

For Coupang, the operational stakes are immediate. The company must now simultaneously manage damage control in its home market, respond to inquiries from U.S. lawmakers, and prepare for enforcement actions from South Korean regulators. Remediation for large-scale breaches typically includes forensic investigations, customer notifications, credit-monitoring services and system upgrades; for a company of Coupang’s size those measures can cost tens of millions of dollars and raise ongoing compliance expenses for years.

Investors and corporate risk managers will be watching the legal fallout. U.S. congressional attention can translate into policy proposals that tighten data transfer rules or impose new disclosure requirements on firms that list on U.S. exchanges. Coupang, which trades in New York under the ticker CPNG, faces a potential increase in its regulatory risk premium as markets factor in the cost of litigation, fines and reputational damage. The closed-door nature of the session limits immediate market clarity, but it amplifies uncertainty that typically depresses valuations for consumer-facing tech companies.

The incident also sharpens long-term policy debates over data governance. Lawmakers in Washington have been debating how to reconcile consumer privacy protections with national security and economic openness. The committee’s questioning of a foreign e-commerce executive underscores a broader trend: major data incidents now trigger cross-border policy coordination and can accelerate legislative moves toward stricter data localization, mandatory breach reporting, and expanded jurisdictional reach for regulators.

On the operational front, the breach raises questions about vendor management, legacy system vulnerabilities and the adequacy of encryption and access controls across integrated platforms. For South Korean consumers, the breach may drive demand for stronger legal remedies and faster notification timelines. For multinational companies, the episode is a reminder that privacy compliance is increasingly a global, not a local, cost.

Moving forward, investigators in South Korea and committee staff in Washington are expected to continue fact-finding. Public hearings could follow if lawmakers determine that broader systemic issues are at play. For Coupang, the immediate imperative will be to demonstrate fast, transparent remediation and to quantify the economic impact for customers and shareholders as regulators and markets reassess the long-term costs of the breach.