Key Points:
- South Korea’s privacy watchdog fined e-commerce giant Coupang 624.7 billion won ($409 million) over a massive data breach.
- The security failure compromised the personal information of roughly 37.5 million customers.
- The regulator also cited Coupang for illegally tracking and storing the browsing histories of over 11 million users.
- The fine represents the largest-ever corporate data protection penalty in South Korea’s history.
South Korea’s privacy watchdog hit Coupang with a historic 624.7 billion won ($409 million) fine. This penalty represents the largest data breach penalty in the country’s history. The Personal Information Protection Commission (PIPC) approved the massive fine following a lengthy investigation into security lapses that exposed the sensitive personal data of tens of millions of customers and tracked millions of other users without consent.
The watchdog found that the security failures compromised the data of approximately 37.5 million people—nearly three-quarters of South Korea’s total population of 51 million. The compromised records included customer names, phone numbers, email addresses, and purchase histories. Fortunately, passwords and payment details remained secure during the multi-month exploit. According to a Reuters report, the e-commerce giant intends to challenge the watchdog’s fine in court, setting up a major legal battle.
Regulators traced the source of the breach back to a former Coupang systems engineer, a Chinese national, who had developed alternative authentication methods for the company. After leaving the firm in late 2024, the engineer leveraged a cryptographic signing key to forge security tokens. He successfully bypassed access controls and accessed the delivery address database about 148 million times between April and November of 2025. Investigators concluded that Coupang’s failure to update security keys and enforce strict access controls directly enabled the breach.
The watchdog also penalized Coupang for failing to notify the government within the legally mandated window. Although Coupang recognized the massive leak on November 17, 2025, the firm took over 48 hours to inform the regulatory bodies, missing the strict 24-hour reporting threshold. In a more serious accusation, the privacy commission noted that Coupang officials deleted web access logs following the incident, a move the agency characterized as obstructing a government investigation.
Beyond the direct breach, the regulator uncovered an illegal user-tracking scheme operated by Coupang Partners, the company’s affiliate marketing program. The watchdog revealed that Coupang gathered and stored the online browsing histories of 11.17 million users from third-party websites and apps without obtaining their legal consent. Due to these distinct violations, the PIPC split the overall fine, levying 423.58 billion won for the data breach itself and 201.11 billion won for the unauthorized tracking.
The $409 million penalty represents roughly 1.4% of Coupang’s total 2025 revenue of 45 trillion won. More shockingly, the fine wipes out almost the entirety of the Seattle-headquartered company’s operating profit from last year, which hovered around $473 million. When combined with a separate $1.2 billion voluntary customer compensation plan that Coupang initiated in December 2025 to soothe public anger, the single data security failure is set to cost the retail giant over $1.6 billion.
The severe regulatory action has added unexpected trade friction between Seoul and Washington. Because Coupang is incorporated in the United States and listed on the New York Stock Exchange, several US politicians have expressed concern about regulatory pressure. In April, US lawmakers sent a joint letter to South Korean officials, claiming the local investigation put undue pressure on an American-headquartered enterprise. However, South Korean lawmakers stood firm, arguing that local consumer rights transcend international corporate structures.
In a public statement, Coupang apologized for the public concern but defended its practices, claiming it took proactive, preemptive steps to prevent secondary damage from the leak. The company plans to file a formal lawsuit to challenge the commission’s calculations once it receives the written ruling. Despite the company’s pushback, the landmark fine serves as a stark warning to technology and retail giants operating in South Korea, demonstrating that regulators will enforce strict data standards and impose catastrophic financial penalties for security neglect.
