Coupang fined $410 million in South Korea's record data breach penalty

South Korea's privacy regulator imposed a record $410 million fine on Coupang for a data breach affecting 37.6 million users, the largest corporate penalty of its kind in the country.

South Korea's Personal Information Protection Commission fined Coupang 624.68 billion won ($410.1 million) Thursday for a data breach affecting 37.6 million users, the largest corporate privacy penalty in the country's history.

"This incident was caused not by sophisticated hacking techniques, but by Coupang's inadequate basic security management system and negligence," Kyung Hee Song, chairwoman of the PIPC, said at a briefing.

The fine amounts to 1.4% of Coupang's 45 trillion won in 2025 revenue, according to Reuters calculations. A former Chinese software developer retained an authentication key after leaving the company, enabling unauthorized access for about a year until Coupang detected the breach in November 2025. The perpetrator accessed names, phone numbers and residential building key codes but not credit card or government identification data, Coupang said. The regulator also found the company illegally collected online activity data on about 11 million customers through a marketing program without their consent.

The penalty adds regulatory pressure on the Seattle-based e-commerce giant, which controls about 40% of South Korea's logistics market, and comes as Washington and Seoul continue trade negotiations. Coupang said it regrets the decision and expects facts to be "clearly established through legal procedures," signaling a potential appeal.

Coupang's stock fell 4.97% on the New York Stock Exchange following the announcement, reflecting investor concern over the financial and reputational impact. The company, incorporated in Delaware but deriving most of its revenue from South Korea, had previously said it would strengthen data protection systems.

The PIPC said Coupang failed to detect the breach within the 72-hour window required by South Korean law. Song noted the company's security system allowed the hacker to easily access personal information of all customers even after the suspect had left the firm, and that Coupang only became aware of the unusual data traffic after a customer inquiry.

The probe had drawn attention from US trade officials over concerns that Korean authorities had overreached in their treatment of the US-listed company. South Korea has maintained the investigation was neither a trade nor security issue and should be handled separately from ongoing bilateral talks.

The fine far exceeds previous data breach penalties imposed on South Korean companies including SK Telecom and KT, signaling a significant escalation in enforcement by the PIPC. The last comparable penalty — a 7.5 billion won fine against SK Telecom in 2023 for a data leak affecting 19 million users — was less than 2% of the current amount, underscoring the regulator's tougher stance.

This article is for informational purposes only and does not constitute investment advice.