South Korean regulators have imposed a record 624.6 billion won ($409 million) penalty on e-commerce giant Coupang following a data breach that exposed the personal information of tens of millions of customers and an investigation into the company’s handling of user data.
The sanction, announced by the Personal Information Protection Commission (PIPC), is the largest privacy-related penalty ever issued in South Korea. Regulators said the case involved both a major customer data leak and the unlawful collection of online activity data from users.
According to the PIPC, more than 33 million customers were affected by the breach. Other reports put the number of impacted individuals at 37.6 million, making it one of the largest data exposure incidents in the country’s history. Investigators said customer information was accessible for an extended period before the company detected the problem.
The regulator concluded that the incident resulted from inadequate internal security controls rather than a sophisticated external attack. Officials said a former employee retained access to a security key that allowed unauthorized access to customer information even after leaving the company. Investigators also found that the company failed to promptly identify unusual activity and did not detect the breach within the reporting timeframe required under South Korean law.
Beyond the breach itself, the commission said Coupang illegally collected information about the online activities of approximately 11 million users through its marketing systems without obtaining proper consent. That finding contributed significantly to the overall penalty.
South Korean authorities have previously disclosed that exposed information included customer details such as names, phone numbers, email addresses, delivery information, and other account-related data. A government-backed investigation earlier this year concluded that more than 33.6 million accounts had been exposed.
Coupang apologized following the regulator’s announcement but criticized aspects of the decision. The company said its efforts to prevent further harm after the breach were not adequately reflected in the commission’s findings and indicated it may challenge the ruling.
The penalty amounts to roughly 1.4% of Coupang’s 2025 revenue, according to regulatory calculations. The PIPC said the case demonstrated that companies handling large volumes of customer data must maintain security and monitoring systems that match the scale of their operations.