South Korean authorities have imposed a record $408 million fine on e-commerce giant Coupang after concluding that a massive data breach exposed the personal information of more than 33 million customers.
The penalty, announced by the Personal Information Protection Commission (PIPC), is the largest data privacy fine ever issued in South Korea. Regulators said the company failed to implement adequate safeguards to protect customer information and did not notify authorities within the 72-hour period required under South Korean law, according to Al Jazeera, which cited comments from the privacy watchdog.
The breach affected more than 33 million users and was linked to unauthorized access to customer accounts. PIPC Chairperson Song Kyung-hee said during a briefing that the incident resulted from inadequate security systems rather than a sophisticated external cyberattack, according to Reuters.
"This accident occurred due to Coupang's lack of safety measures and systems, not sophisticated hacking," Song said, as reported by Reuters. She added that delayed notifications prevented affected individuals from taking prompt steps to protect themselves from potential secondary harm.
Coupang apologized after the regulator announced the fine but disputed parts of the findings. The company said it regretted that measures it had taken following the incident and explanations it provided to authorities were not sufficiently reflected in the regulator's decision.
The company also indicated it would challenge the penalty through legal channels, according to South Korea's Yonhap News Agency.
The fine follows a government investigation that examined the origins of the breach earlier this year. South Korea's Ministry of Science and ICT concluded that a former employee, identified as a Chinese national, stole a security key and used it to gain unauthorized access to customer data, according to findings reported by The Korea Herald.
The case has drawn significant attention because of Coupang's dominant position in South Korea's online retail market. The company, which is listed on the New York Stock Exchange and headquartered in Seattle, generates the vast majority of its revenue in South Korea. Market estimates from Seoul-based IM Securities cited by Al Jazeera place Coupang's share of South Korea's logistics services market at approximately 40%, making it the country's largest player in the sector.
Regulators argued that the scale of Coupang's operations increased its responsibility to maintain robust data protection systems. Song said the company had expanded its e-commerce services through extensive use of customer data but lacked sufficient systems to manage and protect that information.
The investigation into the breach also became a source of diplomatic friction between Seoul and Washington. Earlier this year, concerns were raised by several U.S. lawmakers regarding South Korea's handling of the probe into the American-listed company. According to Reuters, some Republican lawmakers argued that the investigation reflected discriminatory treatment toward U.S. businesses operating in South Korea.
The dispute prompted a response from South Korean lawmakers. Nearly 100 legislators signed a joint letter defending the investigation and expressing concern about what they described as outside pressure regarding the country's regulatory process.
The penalty far exceeds the previous record privacy-related fine in South Korea. In 2025, telecommunications company SK Telecom was fined approximately $88 million over a separate data leak incident.
