South Korean Regulator Probes Coupang’s Account Deletion Process After Massive Data Breach

Key Takeaways

• Regulatory Scrutiny Intensifies: South Korea’s telecoms regulator is investigating whether Coupang’s account deletion process unlawfully restricts users’ right to terminate services.
• Complex Exit Process Under Fire: Users must navigate multiple hard-to-find steps across mobile and PC platforms, raising concerns about intentional friction.
• Data Breach Context Matters: The probe follows a breach affecting more than 30 million customers, which triggered leadership changes and increased deletion requests.
• Enforcement Risk Ahead: If violations are confirmed, Coupang could face penalty surcharges and corrective orders under telecoms law.
• Broader Risk Signal: The case highlights how cybersecurity incidents can quickly expand into governance, consumer protection, and regulatory compliance crises.

Deep Dive

South Korea’s media and telecoms regulator has launched an investigation into Coupang, examining whether the e-commerce giant has unlawfully made it difficult for users to delete their accounts in the wake of a massive personal data breach that rattled the country earlier this year.

The Korea Media and Communications Commission said on December 4 that it has opened a fact-finding investigation into Coupang’s account deletion procedures to determine whether they violate the Telecommunications Business Act. The law prohibits service providers from restricting or obstructing users’ right to terminate a service.

The probe comes as public scrutiny of Coupang remains intense following the disclosure that unauthorized access to its systems exposed the personal information of more than 30 million customers. That incident led to the resignation of Chief Executive Park Dae-jun and the appointment of Harold Rogers, Coupang’s Chief Administrative Officer and General Counsel, as interim CEO.

According to the KMCC, the investigation focuses on whether Coupang has intentionally designed its account deletion process to be difficult to locate and unnecessarily complex. Regulators noted that the procedures appear to impose significant inconvenience on users, particularly as requests to close accounts have surged following the data breach.

Under the current process, users attempting to delete their accounts through the Coupang mobile app must navigate several layers of menus. The option is not immediately visible and requires users to access the Personal Information section, enter settings, select Edit Info, and input their password. At that point, users are instructed to switch to the PC version of the service to continue the deletion process.

Once on the PC platform, users must complete additional steps, including navigating through My Coupang, accessing account information, re-entering their password multiple times, scrolling to the bottom of the page to find the deletion option, reviewing their usage history, and submitting a survey before the request can be finalized.

The KMCC said it initiated the investigation promptly because these procedures may constitute an unlawful restriction on users’ rights, especially given the heightened sensitivity surrounding personal data protection after the breach. Coupang previously disclosed that unauthorized access to its systems went undetected for months, from June through November, exposing names, email addresses, phone numbers, shipping addresses, and parts of customers’ order histories. The company said payment information, credit-card numbers, and login credentials were not compromised.

If the investigation confirms violations of the Telecommunications Business Act, the Commission said it will pursue strict enforcement measures, including penalty surcharges and corrective orders. The KMCC also indicated that it plans to continue monitoring harmful practices across telecommunications and digital services that play a central role in citizens’ daily lives.

The investigation adds another regulatory front for Coupang, which is already facing a police probe into the breach itself. Together, the leadership shake-up, cybersecurity fallout, and now scrutiny over user exit rights underscore how quickly digital risk can cascade across governance, compliance, and consumer trust when personal data protections fail.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.