South Korea fines Coupang record $409M over data breach

South Korea's data protection regulator has imposed a record 624.6 billion won fine, roughly $409 million, on e-commerce giant Coupang for a massive data breach that exposed the personal information of more than 37 million customers.

PIPC cites multiple violations in security practices. The Personal Information Protection Commission determined that approximately 37.55 million people's data was leaked due to inadequate security measures, including failures in authentication key management and access controls. Investigators also identified violations of data destruction and leak-notification requirements, interference with the independence of Coupang's data protection officer, and obstruction of the investigation.

Coupang Fulfillment Service received an additional 248 million won fine for unlawfully collecting, using, and handling customers' personal and sensitive data. The PIPC stated that regarding Coupang's violation of safety measure obligations and collection of personal information without legal basis, a fine of 624.681 billion won and a fine of 16.8 million won were imposed, along with corrective orders, announcements, and publication orders.

Breach timeline and suspect identified. The breach occurred in late June but was discovered only in mid-November, when Coupang warned that 33.7 million accounts had been compromised. South Korean authorities identified the primary suspect as a 43-year-old Chinese national who worked in Coupang's IT department between 2022 and 2024.

Coupang later said that the former employee returned multiple hard drives containing sensitive data. The suspect also disposed of a MacBook Air laptop in a river in an attempt to destroy evidence, but the device was recovered. Coupang added that the suspect retained user data for approximately 3,000 accounts, even though they accessed millions of accounts, and that this data was deleted from all devices and not transferred to others.

Company response includes compensation plan. Coupang announced plans in late December to pay 1.685 trillion won, approximately $1.17 billion, and to start distributing single-use purchase vouchers totaling 50,000 won, about $34, per customer in January 2026 to compensate over 33 million affected customers. The company employs 95,000 people and has reported annual revenue exceeding $30 billion as an American online retail operator in the South Korean market.

Context of similar large-scale incidents in Korea. In a related case, SK Telecom warned customers in April that sensitive USIM data had been exposed after its network was infected with malware. The company later revealed the malware was first deployed on its systems in June 2022, affecting a total of 27 million subscribers, representing almost its entire customer base.

This breach ranks as one of the worst in South Korea's history. The PIPC's actions mark the largest penalty of its kind in the country.