Story Stocks®

Updated: 26-Dec-25 13:29 ET
Coupang Rallies as Cyber Update Looks Better-Than-Feared (CPNG)

Coupang (CPNG) is rallying today in a relief-type move after the company issued a more detailed update yesterday on its cybersecurity incident, helping narrow perceived downside from the headline risk. The company initially announced the matter in late November and then provided additional disclosure in a Dec. 16 8-K, noting it became aware of unauthorized access to customer accounts and activated its incident-response process.

  • In its Dec. 16 filing, CPNG said a former employee may have obtained basic customer data including names, phone numbers, delivery addresses, and email addresses up to 33 mln customer account. In yesterday's update, CPNG said it has identified the perpetrator and retrieved and secured all devices used in the leak.
  • Importantly, while the perpetrator accessed 33 mln accounts, CPNG said they retained data from approximately 3,000 accounts and later deleted it. CPNG added that no payment data, log-in credentials, or individual customs numbers were accessed and that the data was not transferred to others.
  • Outside of the incident, CPNG's Q3 results showed its core business has been performing well, with revenue up 18% yr/yr to $9.3 bln, gross margin expanding 50 bps to 29.4%, and management reiterating that Korea remains a durable growth opportunity with broad-based cohort strength and significant runway.
  • An overhang remains, however, as CPNG noted it is cooperating with Korean regulators, which have launched their own investigations, and while operations were not materially disrupted, it warned the incident could still lead to remediation costs, potential penalties, and litigation, with losses not yet reasonably estimable.

Briefing.com Analyst Insight

Investors are treating the latest update as better-than-feared and a meaningful reduction in headline risk. The incident has been a notable overhang since CPNG's initial notice in late November, when it said it became aware on Nov. 18 and that unauthorized access may have begun as early as June via overseas servers. The new update helps narrow perceived downside by suggesting the perpetrator retained data from only a small subset of accounts relative to the 33 mln accessed, while reiterating that sensitive information such as payment and log-in data was not compromised and that the data was not transferred to others. That reframing is supporting a relief rally today. Even so, the key items to watch from here are what Korean authorities ultimately conclude and whether Coupang faces meaningful remediation, litigation, or regulatory costs.

Cookies are essential for making our site work. By using our site, you consent to the use of these cookies. Read our cookie policy to learn more.