Coupang's New Data Leak Compounds Regulatory and Legal Risks

What happened

On February 5, 2026, Coupang's shares dropped over 13% after a Reuters report revealed an additional 165,000 users' data was leaked, building on the massive 2025 breach that affected 33 million customers. This incident has spurred a securities class action lawsuit alleging disclosure delays, amplifying legal and reputational threats. The DeepValue report previously identified the 2025 breach as a critical regulatory overhang, with potential fines up to $900 million and a $1.2 billion voucher program set to reduce future revenue. Management's risk management failures, already criticized in the report, are further highlighted by this recurrence, indicating unresolved security weaknesses despite prior commitments. Together with ongoing Korean regulatory probes and a premium valuation at 94x P/E, this breach heightens the downside risks to Coupang's financial stability and growth prospects.

Implication

The new data leak raises the probability of steeper fines under Korea's evolving data protection laws, potentially exceeding the 3% revenue cap and compounding the $1.2 billion voucher liability. Customer trust, already weakened by the 2025 breach, may erode further, risking declines in Product Commerce active users and revenue per customer that could undercut core profitability. Legal costs from the class action could strain finances, especially as Developing Offerings continue to post significant losses and require ongoing investment. Management's credibility is further damaged, raising governance concerns that might impair strategic decisions and capital allocation discipline. Given the stock's high multiples, these accumulated risks make it prudent to avoid new positions until regulatory outcomes are clear and customer metrics show recovery.

Thesis delta

The new breach validates the DeepValue report's warning about persistent cybersecurity and regulatory risks, shifting the probability of the Bear scenario higher due to increased likelihood of severe fines and customer attrition. It underscores management's inability to secure data, potentially prompting more aggressive regulatory actions and eroding the margin of safety. Therefore, the thesis moves from a 'POTENTIAL SELL' to a stronger emphasis on avoiding exposure until fines are quantified and post-breach engagement stabilizes.