South Korea has imposed its largest-ever data protection penalty on e-commerce giant Coupang, fining the company more than $400 million over a large-scale data breach that exposed personal information belonging to tens of millions of users.
The Personal Information Protection Commission (PIPC) announced on Wednesday that it had levied a fine of 624.68 billion won on Coupang after concluding that the company failed to implement adequate safeguards for customer data. The regulator said the breach involved violations of safety obligations and the unlawful collection of personal information.
According to the commission, weaknesses in Coupang’s security systems, including poor management of authentication keys and insufficient access controls, allowed sensitive user data to be exposed. The leaked information included names, contact details, delivery addresses and order histories. In total, around 37.5 million user accounts were affected, a figure that represents more than half of South Korea’s population of approximately 50 million people.
Coupang, often described as South Korea’s equivalent of Amazon, confirmed it had received the regulator’s decision and expressed regret over the incident. The company said it would strengthen its security systems and take additional steps to prevent similar breaches in the future. However, it also announced plans to challenge the ruling, arguing that its explanations and corrective measures had not been fully taken into account.
The company stated that it expects the facts of the case to be clarified through legal proceedings once the official resolution is reviewed in detail.
The breach first came to light in November, prompting a months-long investigation. Coupang initially reported that about 4,500 accounts had been compromised but later revised its estimate significantly upward after internal checks suggested that nearly 34 million customer accounts in South Korea may have been exposed. Investigators believe the intrusion may have begun as early as June, with activity traced to an overseas server.
The incident led to leadership changes within the company. Coupang’s chief executive Park Dae-jun stepped down following public backlash and issued an apology. Harold Rogers, the company’s chief administrative officer, was appointed interim CEO.
The case adds to growing concern over cybersecurity vulnerabilities in South Korea, despite the country’s reputation for strict data protection standards. Other major firms have also faced penalties in recent years, including telecom operator SK Telecom, which was fined nearly $100 million following a breach that affected more than 20 million subscribers.
Authorities say the Coupang case highlights ongoing risks in the digital economy and the need for stronger corporate safeguards to protect consumer data.
