The Personal Information Protection Commission (PIPC) has imposed a record fine of 624.68 billion won (approximately $467 million) on Coupang, determining that the company’s failure to uphold basic data protection obligations led to the breaches. The commission found multiple violations, including unauthorized data collection, obstruction of investigations, and failure to properly dispose of personal information, surpassing the previous record set by SK Telecom.
During a briefing on June 11, PIPC Chairperson Song Kyung-hee stated, "This incident was not due to sophisticated hacking but rather a result of inadequate management of basic safety protocols, such as the management of authentication signing keys and access controls. We have issued a penalty in accordance with the law and principles, regardless of whether the company is domestic or international."
The decision followed over 13 hours of deliberation during a full commission meeting held the previous day, which began at 10 a.m. and concluded around 11:30 p.m. Coupang representatives attended the meeting to present their views and engage in a question-and-answer session with the commissioners.
The investigation began on November 20, 2025, when Coupang reported a data breach following customer complaints about a hacker's extortion email. The PIPC immediately launched an investigation, forming a joint task force with the Korea Internet & Security Agency (KISA) due to the platform's significance to the public.
Coupang later confirmed a much larger scale of data breaches than initially reported, leading to a second notification on November 29. In February 2026, the company reported a third breach involving approximately 165,000 additional user accounts.
Investigators found that the hacker was a former Coupang employee who had left the company at the end of the previous year. The hacker exploited a signing key from an alternative authentication system developed during their employment to repeatedly access user information from April to November 2025, extracting data from approximately 33.22 million users and at least 4.33 million non-member delivery information subjects, totaling around 37.55 million individuals.
The PIPC deemed Coupang's failure to implement adequate safety measures as a serious issue. The company allowed the authentication signing key to be viewed in plaintext and failed to revoke or change access to the key after the employee's departure. During the attack, there were 148 million abnormal access attempts and a sudden spike in traffic, which went undetected, indicating a failure in access control. The PIPC noted, "The inability to even recognize the attack signifies that access control was not functioning properly."
The commission also criticized Coupang's inadequate response after the breach. The company failed to notify affected parties within the legal timeframe of 72 hours after recognizing the additional data breaches and did not inform non-member delivery information subjects despite multiple requests from the PIPC. Furthermore, some personal data of former members was retained against internal regulations, leading to actual breaches. The company also deleted web access logs after a preservation order was issued, complicating the investigation. The PIPC plans to file charges for obstruction of the investigation.
Additionally, the PIPC found that Coupang had collected user activity records from approximately 11.17 million users on third-party websites and apps without consent while operating its 'Coupang Partners' program. The commission stated that the company lacked legal grounds for collecting personal online activity records for targeted advertising and failed to manage so-called 'kidnapping ads' properly, resulting in an additional fine of 201.16 billion won (approximately $150 million).
Coupang expressed regret over the PIPC's decision, stating, "The proactive measures taken to prevent secondary damage related to the data breach and explanations based on clear facts were not adequately reflected in the PIPC's decision. We hope that the facts will be clarified through legal procedures after receiving the official resolution." The company also asserted that Coupang Partners operates legally based on the same partnership model as global companies.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.