Coupang faces record-high fine of $409 million over last year's data breach

The Personal Information Protection Commission imposed a historic fine of more than 624.6 billion won ($409.3 million) on the e-commerce company Coupang for a massive data breach that affected 37.5 million people.

The headquarters of the e-commerce platform Coupang in Songpa District, southern Seoul YONHAP

E-commerce giant Coupang will face a record-high fine of more than 624.6 billion won ($409.3 million), as the state-run privacy watchdog announced on Thursday that a massive data breach last November had exposed the personal information of 37 million customers.

Investigators concluded that a large-scale data breach had taken place, contrary to Coupang’s assertion that the exposure was limited.

During its plenary session on Wednesday, the Personal Information Protection Commission (PIPC) decided to impose a fine of 624.68 billion won and an administrative penalty of 16.8 million won on Coupang for violations of the Personal Information Protection Act.

Specifically, the PIPC levied a 423.5 billion won fine on the company for leaking the information of 37.5 million users and a 201.1 billion won fine for the unauthorized collection and storage of the online activity of about 11.17 million users who accessed third-party websites and apps through the platform.

It also made recommendations for improvement, imposed corrective orders and public disclosure measures and filed a criminal complaint.

Separately, the commission fined Coupang Fulfillment Services (CFS), the company’s logistics subsidiary, 248 million won.

The breach affected roughly 37.5 million individuals — both members and nonmembers  of the service— a figure 10,000 times larger than the 3,000 cases that Coupang previously reported to the U.S. Securities and Exchange Commission (SEC), according to the Korean government’s investigation.

Song Kyung-hee, the chairperson of the Personal Information Protection Commission, speaks during a briefing about the state probe into Coupang's data leak at the central government complex in Jongno District, central Seoul, on June 11. YONHAP

Coupang had claimed that the perpetrator had stored only about 3,000 records of limited data, despite their unauthorized access to 33 million customer accounts.

The government concluded that Coupang was at fault for mismanaging customers’ personal data and the fallout from the leak.

The company issues authentication tokens to users who log in to its website or app, allowing continued access without repeated verification. Investigators found that the hacker used previously collected personal information to generate substitute or forged authentication tokens and steal data from Coupang.

“While the token-based authentication system requires strict operation and oversight, Coupang failed to maintain basic and adequate control of its security,” the commission said.

Another violation occurred during the process of notifying affected customers of the leak. Although the company recognized that data belonging to an additional 160,000 individuals had been leaked on Jan. 30, it failed to notify them within the legally mandated 72-hour period and only did so on Feb. 5.

Coupang also ignored four government requests to notify customers of the incident, depriving them of the opportunity to take preventive measures against secondary harm.

Harold Rogers, the interim CEO of Coupang, answers lawmakers’ questions at a joint parliamentary hearing on Coupang's personal data leak, unfair trade practices and labor conditions at the National Assembly in Yeouido, western Seoul, on Dec. 30, 2025. NEWS1

Additionally, regulators found that the company was responsible for exposing the personal information of those who had unsubscribed from their memberships or deleted their accounts.

Under Coupang’s own privacy policy, the personal data of former users must be deleted 90 days after they close their accounts.

However, the company retained ex-users’ bank account information and delivery address information in 318,499 and 2.47 million cases, respectively. It also built a database comprising the personal information of 717,865 former users and used it to send text messages and emails.

The government further determined that Coupang interfered with the state probe.

After the commission ordered the company to preserve evidence related to the data breach on Nov. 21 of last year, Coupang manually deleted five months’ worth of access logs on Nov. 27. As a result, records covering 13 percent of the hacker’s activity were lost. The commission concluded that the company’s action hindered efforts to accurately assess the scale of the breach.

Delivery trucks are parked at a Coupang logistics center in Seoul on Dec. 28, 2025. NEWS1

Separately, the CFS was found to have collected and maintained a list of 71 people in the press corps at the National Police Agency. The company then placed the individuals, none of whom had ever worked at its logistics centers, on a restricted-employment list — later known as the “Coupang blacklist” — without either obtaining the reporters’ consent or informing them that their information had been collected and registered.

The CFS was also found to have improperly handled its employees’ health data.

Regularly receiving employee health screening results, the company provided the body weights of 80 employees to a court during legal proceedings in March 2024. The regulator determined that the submission constituted an unlawful processing of sensitive personal information and imposed a fine.

“I hope that these punitive measures serve as a catalyst for stronger security measures and tighter internal oversight across online platforms that have become integral to everyday life,” said Song Kyung-hee, the chairperson of the commission.

BY MOON HEE-CHUL [lee.soojung1@joongang.co.kr]