South Korea hits Coupang with record $409 million fine after massive data breach exposes 33 million users
South Korea’s privacy regulator slapped e-commerce giant Coupang with a 624.7 billion won ($409 million) penalty — the largest data-protection fine in the country’s history — over a breach that exposed personal details of more than 33 million customers and deepened diplomatic tensions with Washington.
The breach
A former employee who was a Chinese national stole a cryptographic signing key and used it to access customer data from overseas servers for nearly five months, from June to November 2025. The intrusion exposed names, email addresses, phone numbers, shipping addresses, and order histories of more than 33.7 million customer accounts — roughly two-thirds of South Korea’s population. Payment credentials were reportedly not compromised.
Coupang first detected suspicious activity on 18 November 2025 but took 48 hours to notify regulators, missing the legally mandated 24‑hour reporting window. That delay became a central factor in the severity of the punishment, according to the Personal Information Protection Commission (PIPC).
- Former employee begins unauthorised access to customer data using stolen cryptographic key
- Coupang detects suspicious activity but waits 48 hours to notify regulators
- CEO Park Dae‑jun resigns; company announces 1.69 trillion won voucher compensation plan
- PIPC imposes record 624.7 billion won fine on Coupang
Regulatory findings and the record penalty
The PIPC imposed a headline figure of 624.7 billion won (about $409 million), comprising 423.6 billion won for the breach itself and 201.1 billion won for the unauthorised collection of online activity records belonging to 11.17 million users who accessed services outside Coupang’s platform. A separate 248 million won fine was added for Coupang Fulfillment Services. The total far exceeded the previous South Korean record of 134.8 billion won imposed on SK Telecom.
This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking.
The regulator found that Coupang failed to inform affected individuals, did not delete exposed data, did not guarantee the independence of its data protection officer, and attempted to hinder the investigation.
- Coupang (2026)
- 409 million USD
- Meta (Ireland, 2021)
- 306 million USD
- SK Telecom (2025)
- 88 million USD
Coupang’s response and corporate fallout
Coupang apologised for causing concern but said it regretted that its proactive measures and explanations “were not sufficiently reflected” in the ruling. The company signalled it would challenge the fine in court. CEO Park Dae‑jun resigned in December 2025, and the same month the company announced a compensation plan totalling 1.69 trillion won ($1.17 billion) in platform‑only vouchers for affected customers.
Diplomatic friction with Washington
Coupang is headquartered in Seattle, United States, but generates most of its revenue in South Korea. The investigation drew accusations from US Republicans that Seoul’s probe constituted “discriminatory regulatory actions” against US businesses. South Korean lawmakers responded with a joint letter signed by nearly 100 politicians raising concerns over “undue pressure” from US politicians, adding a diplomatic dimension to the data‑privacy case.
Financial weight of the penalty
The fine is almost equal to the 473 billion won ($473 million) operating profit Coupang reported last year. By comparison, the Irish Data Protection Commission fined Meta $306 million in 2021 after the exposure of 533 million users’ data worldwide.
