South Korea’s privacy regulator has fined Coupang Corp. a record 624.7 bn won, equal to about $409 mn, over a major personal data breach involving nearly 34 mn accounts.
The Personal Information Protection Commission imposed the penalty on Coupang’s South Korean entity. It is the largest fine South Korea has issued for a personal data breach, exceeding the previous record of 134.8 bn won against SK Telecom.
Under South Korean rules, the regulator can impose fines of up to 3% of annual sales. The decision puts new pressure on Coupang Inc., the U.S.-listed owner of South Korea’s largest e-commerce platform.
Kyung Hee Song, chairperson of the regulator, said the incident resulted from weak basic safety controls and negligent management rather than a sophisticated hacking technique.
The company grew rapidly by using large-scale customer data to deliver innovative e-commerce services, but investigation found that its personal information protection and management systems failed to keep pace.
Kyung Hee Song, chairperson of the regulator,
Coupang came under scrutiny after regulators found that a former employee had improperly accessed personal information from nearly 34 mn accounts. That figure equals roughly two-thirds of South Korea’s population.
The improper access reportedly went undetected for months. The scale of the breach triggered public criticism, regulatory investigations, and political tension between South Korea and the United States.
The case also created diplomatic friction because Coupang is incorporated in the United States while operating one of South Korea’s most widely used online retail platforms.
After the breach, Greenoaks Capital Partners, a major investor in Coupang Inc., urged the U.S. government to investigate South Korea in January. The investor alleged discriminatory treatment of the American-listed e-commerce company.
South Korean lawmakers pushed back against what they described as U.S. political pressure over the treatment of Coupang and its executives. The dispute added a cross-border dimension to a cybersecurity case already under heavy domestic scrutiny.
Last month, Coupang warned that revenue growth would slow this year after it issued customer vouchers in response to the breach. Its shares have fallen about 35% since the start of the year.
Coupang said it regretted the regulator’s decision. The company argued that the ruling did not fully reflect its proactive measures to prevent secondary harm after last year’s data leak.
“Once we receive the commission’s formal written decision, we hope the facts will be clearly established through the legal proceedings,” Coupang said in a statement.
Under South Korean law, Coupang still has the option to challenge the ruling in court. The final financial impact could therefore depend on legal proceedings and any later adjustment to the regulator’s decision.
Of the total penalty, regulators imposed 423.6 bn won for leaking personal data. They added 201.1 bn won for non-consensual data collection.
The regulator also fined Coupang Fulfillment Services, the company’s logistics subsidiary, 248 mn won. Authorities said the subsidiary unlawfully collected personal information and used it to place individuals on an employment restriction list.
According to Beinsure analysts, the Coupang case shows how data governance has become a financial and geopolitical risk for large digital platforms. The exposure extends to regulatory penalties, investor pressure, diplomatic disputes, customer compensation, and weaker market confidence after a major cyber incident.
A massive data breach at Coupang that exposed personal information tied to 33xman customers has been traced to a former employee who retained access to internal systems after leaving the company, according to South Korean police.
The Seoul Metropolitan Police Agency disclosed the findings to local media after raiding Coupang’s offices earlier this week as part of an independent investigation.
Authorities say the breach ranks as the most serious cybersecurity incident in the country’s history.
Coupang, South Korea’s largest online retailer, employs about 95,000 people and generates annual revenue exceeding $30 bn.
On Dec., the company confirmed that personal data linked to 33.7 mn customers had been compromised. Exposed information included names, email addresses, physical addresses, and order histories.
The intrusion occurred on June 24, 2025, but Coupang said it did not detect the breach until Nov. 18. An internal probe began the same day. On Dec. 6, the company issued an update claiming the stolen data had not surfaced online. That reassurance did little to slow regulatory interest.
