South Korea's Personal Information Protection Commission announced on Thursday that it has levied a fine of approximately 624.7 billion won (about $408 million) on e-commerce giant Coupang, Inc. for a large-scale user data leak and the illegal collection of personal information. This penalty sets a new record in South Korea for data breach fines, significantly surpassing the previous $88 million fine imposed on SK Telecom last year.
The commission's investigation found that a former employee, who had left the company the previous year, repeatedly accessed user information between April and November 2025 using a signature key from an alternative authentication system they developed while employed. The incident stemmed from severe deficiencies in Coupang's security protections, including poor management of authentication keys and lax access controls, which led to the exposure of personal data for approximately 37.5 million users. The leaked information included names, contact details, delivery addresses, and order records.
The commission stated that this was not a sophisticated hacking attack but rather a result of Coupang's failure to implement basic security measures and systems. The company failed to detect 148 million abnormal access attempts and sudden traffic surges during the attack period, indicating that its access controls were not functioning properly. Furthermore, Coupang did not notify affected users within the legally mandated 72-hour window, which deprived them of the opportunity to take preventive measures against secondary damages.
The investigation also revealed that Coupang illegally collected the online activity records of about 11.17 million users from third-party websites and applications without a proper legal basis. This data was stored in a database in an identifiable state, for which the commission imposed an additional fine of 201.1 billion won.
Coupang subsequently issued a statement expressing deep regret for the concern caused to its customers and the public and pledged to strengthen its data protection framework. However, the company also stated its regret that the commission did not fully acknowledge the proactive measures it took to prevent secondary damage and its explanations based on clear facts. Coupang indicated it would seek to clarify the facts through legal procedures upon receiving the official ruling.
Coupang, Inc. is South Korea's largest online retail platform, controlling about 40% of the logistics market. The company is listed in the United States but derives the majority of its revenue from South Korea. This incident has sparked diplomatic friction between South Korea and the U.S., with nearly 100 South Korean lawmakers sending a joint letter in April expressing concern over what they described as undue pressure from U.S. political circles regarding the investigation.
Comments