South Korea’s Personal Information Protection Commission (PIPC) has levied a penalty surcharge of Won624.68bn ($411.19m) on e-commerce company Coupang, marking the largest penalty ever imposed in the country for a personal data breach.
Of the total amount, Won423.6bn relates directly to the leak of customer data while a further Won201.1bn has been imposed for the unauthorised or non-consensual collection of personal information.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
The PIPC also issued a separate administrative fine of Won16.8m, alongside corrective orders, a publication order and a directive requiring Coupang to make the disposition public.
The commission said the breach compromised the personal details of around 37.55 million users, including names, email addresses, phone numbers and home addresses, with the exposure occurring between April and November 2025.
Investigators concluded that the breach stemmed from weaknesses in the company’s security practices, citing poor handling of authentication signing keys and insufficient access controls, rather than the result of a sophisticated cyberattack.
The PIPC also found separate privacy breaches by Coupang Fulfillment Services, for which it imposed an additional penalty surcharge of Won248m.
The case stems from a months-long investigation that PIPC launched in November 2025, following reports that surfaced that month alleging the data breach had occurred.
Responding to the ruling, Coupang said it regretted the concern caused, but argued that the steps it had taken to limit secondary harm and its own explanations had not been adequately considered in the commission’s findings.
According to several reports, the company indicated that it intends to pursue the matter through legal channels, suggesting it may contest the penalty in court.
In December, Coupang issued an apology after disclosing that the personal data of millions of customer accounts had been compromised.
That same month, the company’s then-chief executive, Park Dae-joon, stepped down following the fallout from the breach.
Its US-based parent company, Coupang Inc, subsequently appointed Harold Rogers, who had been serving as chief administrative officer and general counsel, as interim chief executive.
