South Korea fines Coupang $409M for massive data breach
South Korea fined Coupang a record $409 million for a major customer data breach.
Why it matters: Data privacy regulators worldwide are escalating enforcement, signaling high stakes for legal compliance related to data protection and breach notification.
- South Korea's PIPC imposed a 624.7 billion won (about $409M) fine on Coupang.
- Data breach affected over 37 million users' personal info, including names and delivery details.
- Coupang collected online activity data from 11.17 million users without consent, fined 201.16 billion won.
- Coupang Fulfillment Services fined 248 million won for violating privacy rules.
- Coupang failed to notify affected users within the 72-hour legal window.
- Coupang plans to challenge the regulatory decision.
South Korea’s Personal Information Protection Commission (PIPC) has imposed a record 624.7 billion won (approximately $409 million) fine on Coupang, the country’s largest e-commerce platform, following a significant data breach that compromised the personal information of approximately 37.55 million users. This enforcement action marks the largest penalty under South Korea's data privacy laws to date.
The breach, discovered in December 2025, exposed sensitive data such as names, email addresses, phone numbers, and delivery details. The PIPC found that Coupang’s inadequate safeguards—including poor management of authentication signing keys and lax access controls—were central to the incident. Additionally, Coupang failed to notify affected individuals within the legally mandated 72-hour notification window.
Beyond the breach, the PIPC also fined Coupang 201.16 billion won for collecting online activity records from 11.17 million users without their consent, violating privacy consent requirements. Coupang Fulfillment Services, the company's logistics arm, was separately fined 248 million won for privacy violations including maintaining an employment restriction list targeting journalists.
The PIPC statement emphasized that the fines were imposed due to Coupang’s negligence in managing personal information protection and unauthorized data collection practices. A Coupang representative issued a public apology but announced plans to challenge the regulator's decision.
This case highlights the rising global regulatory pressure on companies to comply with stringent data privacy laws and swiftly address breaches to protect consumer data.
By the numbers:
- 624.7 billion won ($409 million) — total fine imposed on Coupang
- 37.55 million users — personal data compromised
- 11.17 million users — had online activity data collected without consent
- 72 hours — legal timeframe for breach notification not met
Yes, but: Coupang has announced plans to challenge the PIPC's decision, potentially altering the final penalty outcome.
What's next: The outcome of Coupang’s challenge to the fine will be closely watched as it could impact enforcement rigor under South Korea’s data protection regime.