South Korea’s Personal Information Protection Commission fined Coupang a record 624.7 billion won ($409 million) over a data breach that exposed roughly 33.7 million customer accounts. The penalty, the largest in South Korean history, has deepened a diplomatic rift between Seoul and Washington.TL;DR
South Korea’s privacy watchdog has slapped e-commerce giant Coupang with a record-breaking 624.7 billion won ($409 million) fine, the largest data breach penalty in the country’s history. The ruling, handed down today by the Personal Information Protection Commission (PIPC), dwarfs the previous record of 134.8 billion won imposed on telecoms firm SK Telecom last year.
The penalty stems from a breach that reportedly exposed the personal data of more than 33.7 million customer accounts, roughly two-thirds of South Korea’s entire population. Names, email addresses, phone numbers, shipping addresses, and order histories were all compromised, though payment credentials were reportedly unaffected.
According to Al Jazeera, a former Coupang employee who was a Chinese national stole a cryptographic signing key and used it to gain unauthorised access to customer data from overseas servers. The intrusion reportedly ran undetected for nearly five months, from June to November 2025.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Coupang first detected suspicious activity on 18 November 2025, but took 48 hours to notify regulators, missing the legally mandated 24-hour reporting window. That delay became a central factor in the severity of the punishment, according to the PIPC’s findings.
The headline figure comprises two distinct penalties. The PIPC imposed 423.6 billion won for the breach itself, citing inadequate management of authentication keys and lax access controls that allowed a former employee to reach customer data long after leaving the company.
A separate 201.1 billion won penalty was added for the unauthorised collection of online activity records belonging to reportedly 11.17 million users who accessed services outside Coupang’s platform. The company’s logistics arm, Coupang Fulfillment Services, also received an additional 248 million won fine for separate privacy violations.
The financial damage extends well beyond the fine. In December 2025, Coupang announced a compensation plan totalling approximately 1.69 trillion won ($1.17 billion) in platform-only vouchers for affected customers.
CEO Park Dae-jun resigned the same month, and the US parent company appointed Harold Rogers as interim chief. The leadership shake-up underscored the gravity of the crisis for South Korea’s dominant online retailer.
Shares in the New York-listed firm have suffered accordingly. Coupang’s stock is down roughly 32% year-to-date as of 10 June 2026, following a Citi downgrade from Buy to Neutral in May after the company posted a $266 million net loss in the first quarter, driven in part by the voucher programme’s impact on its books.
The Coupang case has also become entangled in broader US-South Korea tensions. Fifty-four Republican members of Congress wrote to South Korea’s ambassador accusing the country of a “whole-of-government assault” on the company.
There is growing speculation that the fallout was among the factors behind the White House’s decision to raise tariffs on South Korean goods from 15% to 25% in late January 2026. Seoul has pushed back firmly.
Nearly 100 South Korean lawmakers signed a letter warning that external pressure on the investigation would infringe on the country’s judicial sovereignty. The dispute has widened into a broader test of whether Washington can leverage trade policy to shield US-listed companies from foreign regulatory action, a dynamic not unlike the tensions over European tech enforcement that have intensified in recent months.
Coupang’s penalty arrives at a moment when regulators worldwide are wielding larger sticks. The EU fined Meta a record €1.2 billion for transferring European user data to the United States, while cumulative GDPR penalties have now surpassed €7 billion.
In the US, the FTC’s $5 billion fine against Facebook over the Cambridge Analytica scandal remains the benchmark for Big Tech privacy penalties. Google also faces a major EU penalty under the Digital Markets Act before the summer recess.
For Coupang, the road ahead is steep. The company must now navigate ongoing shareholder lawsuits, a leadership vacuum, and the challenge of rebuilding consumer trust in a market where it handles a majority of e-commerce transactions.
Its response to the PIPC ruling, and whether it appeals the fine, will be closely watched by regulators and technology companies across Asia and beyond.
Get the most important tech news in your inbox each week.
