South Korea Hits Coupang With Record $409 Million Fine Over Massive Data Breach
Privacy Regulators Say Security Failures Exposed Data of More Than 33 Million Customers
South Korean regulators have imposed a record 625 billion won ($409 million) fine on e-commerce giant Coupang after concluding that the company failed to adequately protect customer data in one of the country’s largest-ever privacy breaches.
The penalty, announced Thursday by South Korea’s Personal Information Protection Commission, stems from a 2025 incident in which personal information belonging to more than 33 million users was exposed. Authorities said the company also illegally collected online activity data from millions of customers without proper consent.
The fine represents roughly 1.4% of Coupang’s estimated 2025 revenue of 45 trillion won, according to Reuters calculations.
The case is drawing attention beyond South Korea because Coupang is publicly traded in the United States and has become one of Asia’s most closely watched e-commerce companies, often compared to Amazon for its rapid-delivery business model.
Regulators Blame Weak Internal Security
South Korean privacy officials said the breach was not the result of highly sophisticated cyberattacks but instead stemmed from basic security shortcomings.
“This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking,” privacy commission chairperson Song Kyung-hee said during a Thursday briefing.
According to the investigation, a former employee who was a Chinese national allegedly stole a security key that enabled unauthorized access to customer accounts. Officials said Coupang’s systems continued to allow broad access to sensitive customer information even after the employee had left the company.
Regulators also criticized the company for failing to identify suspicious activity quickly enough. Under South Korean law, companies are required to detect and report data breaches within 72 hours.
Customer Inquiry Triggered Discovery
Authorities said Coupang did not detect unusual spikes in traffic involving customer information until a customer raised concerns directly with the company.
Song said the company’s systems effectively allowed a hacker to gain access to the personal information of nearly all customers stored on the platform.
The investigation additionally found that Coupang’s marketing operations collected online activity information from roughly 11 million users without obtaining legally required consent.
Coupang Issues Apology but Pushes Back on Findings
Following the announcement, Coupang apologized publicly for the concerns caused by the breach.
However, the company also signaled disagreement with parts of the regulator’s conclusions.
“We regret that our proactive measures to prevent secondary harm from last year’s data leak incident, as well as our explanations based on clear facts, were not sufficiently reflected” in the commission’s decision, the company said in a statement.
Seattle-based Coupang generates most of its business in South Korea, where it has become a dominant force in online shopping and logistics through rapid grocery and package delivery services.
According to Seoul-based IM Securities, the company controls approximately 40% of South Korea’s logistics services market, giving it the largest market share among competitors.
Data Privacy Becomes Global Business Risk
The size of the penalty highlights the increasing financial and legal risks companies face worldwide over data privacy and cybersecurity failures.
South Korea has strengthened its digital privacy laws in recent years, aligning more closely with stricter international standards seen in regions such as the European Union and parts of the United States, including California’s consumer privacy framework.
The investigation also created friction between Seoul and Washington during ongoing discussions related to a broader trade agreement between the two allies.
Some observers in the United States raised concerns that South Korean authorities may have treated the U.S.-listed company too aggressively. South Korean officials rejected that criticism, saying the Coupang investigation should be viewed strictly as a regulatory and consumer-protection issue rather than a trade dispute.
Regulators Say Company Growth Outpaced Safeguards
Officials argued that Coupang’s rapid expansion was not matched by adequate investment in customer-data protection systems.
“Coupang has grown its e-commerce service significantly based on vast customer data,” Song said. “But the company did not have a system to protect and manage customer information despite its business scale.”
The case is likely to increase scrutiny of major technology and retail platforms operating across international markets, particularly companies handling large amounts of consumer data while expanding logistics and digital advertising businesses.
As regulators globally continue tightening enforcement around privacy practices, the record penalty against Coupang may become a warning sign for other multinational e-commerce firms navigating increasingly strict cybersecurity expectations.
Typical creator. Subtly charming web advocate. Infuriatingly humble beer aficionado.
