Coupang fined record $409 million over massive data breach

SEOUL, June 11 (AJP) - South Korea's privacy watchdog slapped e-commerce giant Coupang with a record 624.7 billion won (US$409.3 million) in fines over a data breach that exposed the personal information of about 37.5 million people, a penalty roughly equal to the company's 2025 operating income.

The Personal Information Protection Commission (PIPC) imposed 423.6 billion won for the breach itself — the largest fine ever levied in the country for a single data leak — and a further 201.1 billion won for collecting the online activity records of about 11.17 million users without legal grounds.

The combined penalty dwarfs the previous record of 134.8 billion won imposed on wireless carrier SK Telecom last year, and effectively wipes out the 679 billion won in operating income that New York-listed parent Coupang posted in 2025.

The commission concluded that inadequate basic safeguards, including poor management of authentication signing keys and lax access controls, allowed a hacker — a former Coupang employee — to siphon off data from about 33.22 million member accounts and at least 4.33 million non-members.

The tally exceeds by nearly 4 million the 33.67 million figure announced in February by a government-led joint investigation team, after the watchdog counted non-member individuals whose details were swept up through members' address books.
  The stolen data included the names and email addresses of about 33.05 million members, as well as 63.98 million delivery records belonging to at least 22.37 million members, containing names, phone numbers, home addresses and building entrance passcodes.

Order histories of about 58,000 members were also leaked.

The regulator additionally imposed a 16.8 million won administrative fine for delayed breach notification and decided to refer the company to investigative authorities, saying Coupang had hindered its probe.

It ordered the company to strengthen safeguards, notify affected non-members and guarantee the independence of its chief privacy officer within three months.

Coupang apologized for the incident but said it would challenge the decision in court once it receives the commission's written ruling.

"We regret that proactive measures taken to prevent secondary damage and explanations based on clear facts regarding last year's data breach were not sufficiently reflected in the commission's decision," the company said in a statement, adding that it expects the facts to be clearly established through legal proceedings.

PIPC chairperson Song Kyung-hee said at a briefing that the commission would respond aggressively to any litigation, calling the decision a reasonable one reached after thorough review based on law and principle.

The breach, disclosed in late November, triggered an exodus of customers and a political firestorm in South Korea, prompting an emergency ministerial meeting and months of parliamentary scrutiny of the country's largest online retailer.

Coupang has already set aside 1.69 trillion won in compensation vouchers for affected customers, a charge that pushed the company to a 354.5 billion won operating loss in the first quarter — its first quarterly loss since turning profitable in late 2022.
  The fine, which must be booked in the quarter it is imposed, makes a second consecutive quarterly loss all but inevitable.

The penalty's scale stems from South Korea's revenue-linked fine system, under which the regulator can impose up to 3 percent of related sales depending on the gravity of violations. Coupang's Korean unit generated about 45.5 trillion won in revenue last year, far above SK Telecom's 17 trillion won.

Copyright ⓒ Aju Press All rights reserved.