12.06.2026
3 min
4
South Korea’s data protection regulator has imposed a record fine of 624.6 billion won (approximately $409 million) on Coupang over a massive personal data breach that affected more than 37 million users.
Coupang Fulfillment Service, a subsidiary of Coupang, was also sanctioned and fined 248 million won for the unlawful collection, use, and processing of customers’ personal and sensitive information.
An investigation by South Korea’s Personal Information Protection Commission (PIPC) found that the breach was caused by serious weaknesses in the company’s security practices. Regulators pointed to poor management of authentication keys and inadequate access controls as key factors behind the incident.
According to the PIPC, the personal information of approximately 37.55 million individuals was compromised as a result of these failures.
“The personal information of approximately 37.55 million people was leaked due to an inadequate basic security management system, including negligence in managing authentication signature keys and access controls,” the regulator said.
Beyond the data breach itself, the commission identified additional violations, including failures to properly delete data, delays in reporting the breach, interference with the independence of Coupang’s data protection officer, and obstruction of the investigation.
As a result, the PIPC imposed a fine of 624.681 billion won on Coupang, along with an additional administrative penalty of 16.8 million won. The company was also ordered to implement corrective measures and publicly disclose details of the violations.
Coupang is a U.S.-based e-commerce company operating in South Korea. It employs approximately 95,000 people and reports annual revenue exceeding $30 billion.
In late December, the company announced a large-scale compensation program for affected users. Coupang plans to spend 1.685 trillion won (approximately $1.17 billion) and distribute one-time vouchers worth 50,000 won (about $34) to more than 33 million impacted customers.
The breach occurred in late June but was not discovered until mid-November, when Coupang disclosed that 33.7 million user accounts had been compromised. The incident quickly became one of the largest data breaches in South Korean history.
According to investigators, the main suspect is a 43-year-old Chinese national who worked in Coupang’s IT division between 2022 and 2024.
The company later stated that the former employee returned several hard drives containing sensitive information. It was also revealed that he attempted to destroy evidence by throwing a MacBook Air into a river, although authorities were eventually able to recover the device.
Coupang said the suspect retained data belonging to approximately 3,000 users despite having access to information from millions of accounts. The company added that all recovered copies of the data were deleted from devices and were not shared with third parties.
The incident has drawn comparisons to another major South Korean data breach. In April, South Korea’s largest mobile carrier, SK Telecom, warned customers that sensitive USIM data had been exposed after malware infected its internal network.
The company later revealed that the malware had been present in its systems since June 2022. As a result, up to 27 million subscribers may have been affected, representing nearly the operator’s entire customer base.
