South Korean authorities have imposed a record-breaking 625 billion won ($409.30 million) penalty on e-commerce company Coupang following a major customer data breach and unauthorized personal information gathering, marking the nation’s heaviest corporate fine for data privacy violations.
The Personal Information Protection Commission announced that the company, which trades on the New York stock exchange, exposed personal information belonging to more than 33 million customers and did not identify the security breach within the legally mandated 72-hour window.
Based on calculations, the financial penalty represents 1.4% of Coupang’s 45 trillion won revenue for 2025.
“This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking,” Song Kyung-hee, the chairperson of the privacy regulator, told a briefing on Thursday.
Following the penalty announcement, Coupang issued an apology for creating public and customer concerns.
The company expressed disappointment, stating that “we regret that our proactive measures to prevent secondary harm from last year’s data leak incident, as well as our explanations based on clear facts, were not sufficiently reflected” in the regulator’s decision.
The Seattle-headquartered company earns the majority of its income in South Korea through rapid delivery services for groceries, meals and various merchandise.
This punishment stems from a government-conducted investigation completed earlier this year that attributed the security failure to inadequate management oversight.
The science ministry previously revealed that a former worker who held Chinese citizenship took a security key and obtained unauthorized entry to customer profiles.
Song explained that Coupang’s protection systems enabled unauthorized access to all customer personal data, continuing even after the individual departed from the organization.
The company additionally failed to notice abnormal spikes in customer database traffic until a customer complaint brought it to their attention, she noted.
In a separate violation, regulators determined the company’s promotional activities unlawfully gathered online behavior data from approximately 11 million customers without obtaining proper consent, Song reported.
The data breach investigations contributed to diplomatic tensions with Washington, as concerns arose that Korean officials may have treated the U.S.-listed corporation too harshly while both nations work out specifics of a trade agreement reached last year.
South Korea maintained that its Coupang investigation represents neither a trade nor security matter and should remain distinct from ongoing Washington discussions.
According to Seoul-based IM Securities, the company commands roughly 40% of South Korea’s delivery market, representing the dominant position among competitors.
“Coupang has grown its e-commerce service significantly based on vast customer data,” Song said. “But the company did not have a system to protect and manage customer information despite its business scale.”
