Coupang hit with record $409 million data breach fine in Korea
South Korea's data protection regulator fined e-commerce giant Coupang a record $409 million over a breach affecting 37 million customers.
South Korea's Personal Information Protection Commission (PIPC) has imposed a record 624.6 billion won (approximately $409 million) fine on e-commerce giant Coupang following a massive data breach that exposed the personal information of over 37 million customers. The penalty, the largest ever levied by the PIPC, also includes a separate 248 million won fine against subsidiary Coupang Fulfillment Service for unlawfully collecting and handling sensitive customer data.
The breach, one of the worst in South Korea's history, occurred in late June 2025 but was only discovered in mid-November, when Coupang warned that 33.7 million accounts had been compromised. Investigators found that inadequate security measures—including failures in authentication key management and access controls—led to the exposure of approximately 37.55 million individuals' personal data. The PIPC also cited violations of data destruction and leak-notification requirements, interference with the independence of Coupang's data protection officer, and obstruction of the investigation.
According to South Korean authorities, the primary suspect is a 43-year-old Chinese national who worked in Coupang's IT department between 2022 and 2024. The former employee allegedly accessed millions of accounts and retained data for approximately 3,000 accounts. Coupang later reported that the suspect returned multiple hard drives containing sensitive data and attempted to destroy evidence by disposing of a MacBook Air laptop in a river, though the device was recovered. The company stated that the retained data was deleted from all devices and not transferred to others.
Coupang, an American online retail company operating primarily in the South Korean market, employs 95,000 people and reported annual revenue exceeding $30 billion. In response to the breach, the company announced plans in late December to pay 1.685 trillion won (approximately $1.17 billion) and to begin distributing single-use purchase vouchers totaling 50,000 won (about $34) per customer in January 2026 to compensate over 33 million affected customers.
The PIPC's record fine underscores the growing regulatory scrutiny on data protection in South Korea, following similar actions against other major firms. The breach also highlights the persistent risks posed by insider threats, as the suspect was a former IT employee with privileged access. The incident adds to a series of high-profile data breaches in the country, including the recent SK Telecom breach that exposed sensitive USIM data of 27 million subscribers.
The fine serves as a stark warning to companies handling large volumes of personal data, emphasizing the need for robust security measures, proper access controls, and timely breach notification. As regulators worldwide tighten data protection enforcement, the Coupang case may set a precedent for future penalties in South Korea and beyond.