South Korea’s Personal Information Protection Commission has imposed a $409 million fine on Coupang for leaking personal data of over 33 million customers and failing to detect the breach within the legally required 72 hours, marking the country’s largest penalty for a data breach.
- Fine totals $409 million, largest data breach penalty in South Korea
- Data of 33 million customers leaked, breach detected late
- Illegal data collection of 11 million users uncovered
What happened
South Korea’s Personal Information Protection Commission fined Coupang 625 billion won (about $409 million) after confirming a massive data breach last year involving the leak of personal information from more than 33 million customers. The company also unlawfully collected data on approximately 11 million customers through its marketing activities without their consent. The investigation found that Coupang failed to detect the breach within the mandatory 72-hour window required by South Korean law.
The breach was linked to a former employee who stole a security key to gain unauthorized access. Coupang’s security systems were deemed inadequate, as they continued to allow data access even after the employee left. The breach detection only occurred after a customer inquiry raised suspicion, highlighting deficiencies in Coupang’s monitoring and response mechanisms.
Why it matters
This $409 million fine is the largest data breach penalty ever imposed in South Korea, emphasizing the government’s commitment to protecting personal information amid rising cyber threats. It also underscores the need for companies handling vast customer data—especially those expanding rapidly like Coupang—to implement rigorous data security measures that comply with legal standards.
Coupang dominates South Korea’s logistics and e-commerce market with about 40% market share, making its data protection practices critical both for consumer trust and national digital security. The penalty comes amid heightened scrutiny of how tech companies safeguard sensitive user information while managing large-scale operations, signaling increasing regulatory and public expectations.
What to watch next
Following this fine, attention will focus on how Coupang strengthens its data security infrastructure and updates compliance frameworks to prevent future incidents. The company has expressed regret for the breach and disagreed with aspects of the regulator’s decision, indicating possible continued dialogue or legal challenges ahead.
Broader regulatory trends in South Korea and globally will also be important to monitor, as authorities weigh harsher penalties and enhanced enforcement for data breaches, particularly among major digital platforms. Additionally, the ongoing trade tensions between South Korea and the US could intersect with regulatory actions involving US-listed firms like Coupang, although the government asserts the data breach probe is independent of trade issues.