South Korea fines Coupang about $410 million over data-law breaches

South Korea’s privacy watchdog has fined Coupang 624.68 billion won, about $410.1 million, in what regulators described as a record penalty tied to a major data breach and related privacy-law violations.

The Personal Information Protection Commission said the case involved both failures connected to the breach itself and the unlawful collection of user activity data from other websites. Reporting says the fine is the largest ever imposed on a single company in South Korea.

The commission said the personal-data leak affected 37.6 million people, more than 70% of South Korea’s population. According to reporting, the exposed information included names, phone numbers and residential access codes, while payment-card data was not reported as compromised.

Coupang said it regrets the decision, plans to strengthen its data protections and may challenge the ruling through legal channels.

Record penalty

The commission split the penalty into 423.5 billion won for data-breach violations and 201.1 billion won for unlawfully collecting user activity data from other websites.

That division matters because the case is not only about a breach that exposed customer information. Regulators also said Coupang crossed a legal line in how it handled user activity data, widening the scope of the enforcement action.

Coupang is headquartered in Seattle and incorporated in Delaware, but most of its revenue comes from South Korea. That makes the ruling significant not just for the company’s compliance program, but also for how privacy enforcement could affect one of the country’s most widely used e-commerce platforms.

How the breach developed

The breach was first disclosed in 2025 and remained under government investigation into 2026. Earlier reporting said Coupang detected unauthorized access in its systems before the matter expanded into a broader regulatory case.

Investigators later attributed the incident to inadequate security controls rather than a sophisticated external hack, according to reporting. One reported factor was that a former Chinese software developer retained an authentication key after leaving Coupang, which allowed unauthorized access for about a year.

The commission said the breach affected 37.6 million people. That scale makes it one of the most consequential privacy incidents South Korea has seen and helps explain why regulators treated the case as a national enforcement test.

Why the case matters

The ruling is important because it combines a record fine with a breach that touched tens of millions of users. For a company whose business depends on consumer trust, the findings could carry long-term reputational and commercial damage.

It also signals a tougher enforcement posture on privacy and platform accountability in South Korea. The commission’s action suggests regulators are prepared to pursue large penalties when they believe companies failed to protect personal data or used customer information in ways that violated the law.

The case has also drawn attention because Coupang is a major company with deep ties to South Korea’s consumer market but corporate roots in the United States. That cross-border profile makes the decision relevant to both domestic regulators and international investors watching data-risk exposure.

Earlier reporting said the breach had already fueled broader political and diplomatic tensions. That context helps explain why a consumer data incident evolved into a much larger public issue.

What happens next

Coupang has not been reported to have filed a formal appeal yet, but it has said it may challenge the ruling. The company has also said it will strengthen its data protections.

The next major question is whether South Korea’s commission releases a fuller written decision with additional detail on the violations and reasoning behind the penalty. Another open question is whether authorities impose any further enforcement steps tied to the breach.

Investors, consumers and regulators in South Korea and the U.S. will be watching for a formal appeal, any additional orders, and any sign that the penalty changes how large platforms handle privacy compliance in the country.

For now, the fine is the clearest regulatory response yet in a case that began with a breach disclosure in 2025 and ended, for the moment, with a record-setting penalty in June 2026.