Coupang record – South Korea’s data protection regulator, the Personal Information Protection Commission, imposed a record fine of 624.6 billion won (about $409 million) on Coupang after finding that a breach leaked personal information tied to more than 37 million customers.
Coupang’s breach is no longer just a security incident—it’s a punishment with a price tag large enough to reshape how the company and its peers treat personal data in South Korea.
The Personal Information Protection Commission (PIPC) fined e-commerce giant Coupang a record 624.6 billion won (roughly $409 million) after a massive data breach affected more than 37 million customers. PIPC’s decision also landed on Coupang’s subsidiary. Coupang Fulfillment Service. which was fined 248 million won for unlawfully collecting. using and handling customers’ personal and sensitive data.
At the center of the regulator’s findings was the leak itself. Investigators said the personal information of approximately 37.55 million people was exposed because of inadequate security practices—problems that included failures in authentication key management and access controls.
PIPC also cited additional violations tied to what happens after a breach. The regulator pointed to breaches of data destruction and leak-notification requirements. It also said Coupang interfered with the independence of its data protection officer and obstructed the investigation. In its statement. PIPC said: “Personal information of approximately 37.55 million people leaked due to insufficient basic safety management system. including negligence in authentication signature key management and access control.”.
It continued, “Regarding Coupang’s violation of safety measure obligations and collection of personal information without legal basis, a fine of 624.681 billion won and a fine of 16.8 million won were imposed, as well as corrective orders, announcements, and publication orders.”
Coupang has said the breach began in late June, but it wasn’t discovered until mid-November—when the company warned that 33.7 million accounts had been compromised. The regulator later described the breach as one of the worst in South Korea’s history.
The consequences didn’t end with the fine. Coupang, an American online retail company operating in South Korea, employs 95,000 people and has reported annual revenue exceeding $30 billion. After the incident came to light, the company announced plans in late December to pay 1.685 trillion won (approximately $1.17 billion). It also said it would begin distributing single-use purchase vouchers totaling 50. 000 won (about $34) per customer in January 2026 to compensate over 33 million affected customers.
Behind the regulator’s decision sits a broader scramble to identify what went wrong and who did it. South Korean authorities took over the investigation and named the primary suspect as a 43-year-old Chinese national who worked in Coupang’s IT department between 2022 and 2024.
Coupang later said the former employee returned multiple hard drives containing sensitive data. The company also said the suspect disposed of a MacBook Air laptop in a river in an attempt to destroy evidence. but the device was recovered. Coupang added that the suspect retained user data for approximately 3. 000 accounts. even though they accessed millions of accounts. and that this data was deleted from all devices and not transferred to others.
For many customers. the timeline is the most unsettling part: late June exposure. mid-November discovery. and then a long stretch until authorities issued findings serious enough to set a record fine. For regulators. the question seems to have been simpler—whether basic safeguards and required responses were in place before the leak ever happened.
Coupang is not the only company in South Korea to face fallout related to data exposure. SK Telecom. South Korea’s largest mobile network operator. warned customers in April that sensitive USIM data had been exposed after its network was infected with malware. SK Telecom later revealed the malware was first deployed on its systems in June 2022. affecting a total of 27 million subscribers—representing the company’s almost entire customer base.
Coupang data breach PIPC South Korea 624.6 billion won 37.55 million customers cybersecurity fine authentication key management access controls leak notification data protection officer
409 million fine?? for what like hacking or just bad security? seems insane.
I don’t even get how it took from June to November to notice that many people. That’s like…how is there a job if you don’t notice? Also 37 million customers??
Wait so they got fined because of “authentication key management” which sounds like they were literally giving out passwords. I’m not saying that’s what happened, but that’s what it sounds like. If they were collecting info without legal basis too, then yeah fine should’ve been way bigger.
Sounds like typical big tech punishment theater. They’ll pay the fine and then still do the same thing next year, just different wording. And the part about interfering with the data protection officer like…isn’t that just corporate politics? Idk, I just feel bad for everyone whose info got leaked.