SEOUL – Coupang, the e-commerce giant, recently unveiled a compensation plan offering vouchers worth 50,000 KRW (approximately $35) per person following a massive data breach. While the company self-evaluated the measure as an "unprecedented level of compensation," public sentiment remains cold, with many questioning whether the amount truly reflects the gravity of the leaked information.

The Industrialization of Data Theft
According to security industry experts, personal data theft has evolved into a highly specialized, multi-stage industry, much like the semiconductor or biotech sectors. The process typically begins with Initial Access Brokers (IABs) who identify and exploit vulnerabilities within a corporate system. Professional hackers then purchase this access to infiltrate the network, deploy malware, and extract targeted data.

Once stolen, this information is traded through illicit channels on the Dark Web. It is frequently used for smishing, phishing, and other fraudulent activities. A significant concern is that once data enters this ecosystem, it is never destroyed; instead, it is recycled, combined with other stolen datasets, and resold for increasingly sophisticated attacks.

The Dark Web Market Value vs. Coupang’s Offer
The adequacy of Coupang’s compensation becomes clearer when compared to the actual market value of stolen data. According to the "2025 Dark Web Data Pricing Structure" report by global security firm DeepStrike, basic identifiers such as names and emails are relatively inexpensive due to oversupply. For instance, a U.S. Social Security Number (SSN) typically trades for between $1 and $6, rarely exceeding $15.

However, the value skyrockets when data sets become more comprehensive. When a name is combined with a date of birth or specific contact details, the price jumps to between $20 and $100. Medical records, which include sensitive history alongside personal identifiers, can command prices upwards of $500.

The data leaked from Coupang includes names, phone numbers, email addresses, delivery addresses, and even the contact information of third parties stored in address books, along with detailed order histories.

Professor Choi Un-ho of Sogang University warned that this specific combination of data allows for highly targeted scams. "An attacker could approach a victim saying, 'Your recent order has been delayed,' making it nearly impossible for the consumer to distinguish a scammer from an actual customer service representative," Choi noted.

A Disconnect in Corporate Responsibility
Critique of the compensation plan centers on the fact that Coupang’s $35 offer falls significantly short of the $100 market value that such comprehensive data sets can command in criminal circles. To many consumers, this discrepancy suggests that Coupang’s sense of responsibility toward its customers is lower than the actual value placed on that data by cybercriminals.

Two months have passed since the incident came to light, yet a resolution remains out of sight. Discrepancies persist between Coupang and regulatory authorities regarding the total number of affected users. Furthermore, reports suggest that the company has not been fully cooperative with the private-government joint investigation team.

As the new year begins, public pressure is mounting for a more transparent investigation and the imposition of accountability that matches the true scale of the damages incurred by millions of users.