Taiwan probe finds “signs of illegal conduct and negligence” in Coupang data leak

Taiwan’s Ministry of Digital Affairs said its administrative probe into Coupang Taiwan uncovered "signs of illegal conduct and negligence" after a large customer data leak, and signaled the ministry may pursue legal measures against the e-commerce unit. The finding escalates regulatory pressure on Coupang Inc., the U.S.-listed Korean firm, after third-party forensics identified roughly 200,000 Taiwan-based accounts among data accessed by a former employee.

Coupang retained Mandiant and Palo Alto Networks for a comprehensive forensic investigation and published summary findings that corroborate the role of a departing staffer in unauthorized access. The company said the information accessed was limited to basic contact and order records including names, email addresses, phone numbers, delivery addresses and a limited number of order lists. Coupang and its forensic teams said highly sensitive information such as payment details, passwords and government identification numbers were not accessed.

Mandiant’s forensic work, cited by Coupang, identified approximately 200,000 Taiwanese customers whose personal contact records were viewed. Coupang said it recovered and analyzed the devices used in the incident and blocked the system access pathway exploited by the employee. The company added there is, to date, no evidence that the data were shared with third parties or abused on criminal marketplaces, and that ongoing dark web monitoring has not turned up signs of exploitation.

The disclosure comes as regulators in Seoul have already acted. Korea’s Fair Trade Commission announced a 2.19 billion won fine, about $1.5 million, for Coupang on Feb. 26 and issued corrective orders in separate supplier-related enforcement. Coupang has announced compensation programs in affected markets. In Taiwan the company is offering an NT$1,000 voucher to eligible customers from March 8, which would amount to NT$200 million if all 200,000 potentially affected users claim the benefit. Coupang earlier provided vouchers worth 50,000 won, roughly $35, to holders of 33.7 million South Korean accounts.

Economically, the case highlights the rising direct costs and indirect liabilities firms face from insider-driven breaches. Regulators can impose fines, demand corrective orders and trigger costly remediation programs. For Coupang the immediate fiscal impact includes the vouchers, the KFTC fine and potential additional sanctions in Taiwan and probes of payment systems in Korea. Longer term, the company risks elevated compliance costs, reputational damage and weaker customer retention if trust erodes in a competitive regional e-commerce market.

The Taiwan ministry’s phrasing on negligence suggests its next moves could range from administrative penalties to referrals for prosecution, depending on the evidence of compliance failures and whether company practices violated local data protection rules. Coupang has said it is cooperating with authorities in both South Korea and Taiwan and has urged that the perpetrator be punished to the fullest extent of the law.

Several reporting threads remain unresolved. Public summaries have contained inconsistent lines about the scale of Taiwan impact, and regulatory authorities have not yet released full investigative reports detailing the legal basis for the ministry’s finding. Key follow-ups include the ministry’s formal notice of proposed legal action, the full forensic reports from Mandiant and Palo Alto Networks, and any criminal charges against the alleged former employee.

The episode fits a broader trend toward cross-border regulatory scrutiny of global tech platforms, stronger enforcement of data governance, and heightened attention to insider risk. For investors and policymakers the calculus now includes not only direct penalties but the potential for sustained increases in compliance spending and customer acquisition costs as firms rebuild trust.