South Korea’s largest e-commerce platform, Coupang, has been slapped with a record-breaking fine of over $409 million by the country’s Personal Information Protection Commission (PIPC) following a massive data breach that exposed the personal information of tens of millions of customers and ignited a diplomatic spat with the United States. The penalty, announced on June 11, 2026, is the largest ever imposed in South Korea for a personal data breach, dwarfing the previous record of 134.8 billion won levied against SK Telecom just last year, according to Reuters and Bloomberg.
The data breach, which came to light in late 2025, involved unauthorized access to customer information—including names, contact and delivery details, and order histories—of more than 33 million accounts. That’s roughly two-thirds of South Korea’s population, a staggering figure that underscores the scale of the incident. According to BBC, the breach began as early as June 2025, originating through a server based outside the country, and went undetected for months.
Regulators found that the breach was not the result of a sophisticated cyberattack but rather Coupang’s “inadequate basic safety management system and negligent management.” Song Kyung-hee, chairperson of the PIPC, told reporters, “This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking.” She added, “Coupang has grown its e-commerce service significantly based on vast customer data, but the company did not have a system to protect and manage customer information despite its business scale.” (Reuters, Al Jazeera).
The government-led investigation revealed that the breach was triggered by a former Coupang employee, a Chinese national, who stole a security key and gained unauthorized access to customer accounts. Even after the suspect left the company, Coupang’s security system continued to allow easy access to sensitive customer data. The company also failed to detect an unusual increase in traffic to its customer database until a customer inquiry brought it to their attention, as noted by Song.
Adding to the gravity of the situation, Coupang failed to report the breach within the 72-hour window required by South Korean law. This delay meant that affected customers had no opportunity to take steps to prevent secondary harm. “Coupang delayed breach notifications,” Song said. “As a result, those individuals were unaware of the breach and deprived of the opportunity to take steps to prevent secondary harm.” (Al Jazeera).
Of the total fine, 423.6 billion won was imposed for leaking personal data, while an additional 201.1 billion won was levied for non-consensual data collection. The PIPC also imposed a separate 248 million won penalty on Coupang Fulfillment Services, the company’s logistics subsidiary, for unlawfully collecting personal information and using it to place individuals on an employment restriction list. Furthermore, regulators found that Coupang’s marketing program had illegally collected the online activity data of around 11 million customers without their consent.
Coupang, often dubbed “South Korea’s Amazon,” is incorporated in the United States and listed on the New York Stock Exchange, but it generates the vast majority of its revenue in South Korea. The company controls about 40% of the country’s logistics services market, according to Seoul-based IM Securities (Reuters).
The fallout from the breach and the subsequent regulatory action has not been limited to financial penalties. Coupang’s CEO Park Dae-jun resigned following the incident, with Harold Rogers stepping in as interim chief administrative officer, as reported by the BBC. The company’s shares have tumbled by approximately 35% since the start of the year, and Coupang has warned that revenue growth will slow in 2026 as a result of customer compensation measures, including issuing vouchers.
The incident has also reverberated beyond South Korea’s borders, sparking diplomatic tensions with the United States. Greenoaks Capital Partners, a major investor in Coupang, urged the U.S. government to investigate what it described as discriminatory treatment of the American-listed company. In response, nearly 100 South Korean lawmakers sent a joint letter in April, expressing concern over what they saw as “undue pressure” from U.S. politicians regarding Seoul’s investigation. U.S. Republicans had previously accused South Korea of “discriminatory regulatory actions” against U.S. businesses. However, South Korean officials have insisted that the investigation into Coupang is neither a trade nor security issue and should remain separate from broader trade negotiations with Washington.
In the wake of the fine, Coupang has publicly expressed regret for the concern caused to customers and the public. In a statement, the company said, “We regret that our proactive measures to prevent secondary harm from last year’s data leak incident, as well as our explanations based on clear facts, were not sufficiently reflected in the regulator’s decision.” Coupang also indicated its intention to challenge the PIPC’s ruling in court, stating, “Once we receive the commission’s formal written decision, we hope the facts will be clearly established through the legal proceedings.” (Bloomberg, Reuters).
The data breach and subsequent regulatory response have highlighted the risks facing even the most technologically advanced companies when it comes to data protection. South Korea, known for its robust data privacy standards, has seen a spate of high-profile cyber incidents in recent years, including a nearly $100 million fine on mobile operator SK Telecom in 2025 for a breach affecting over 20 million subscribers.
For Coupang, the road ahead remains uncertain. The company’s reputation has taken a hit, and its leadership has changed hands amid the crisis. The legal battle over the record fine could drag on for months, if not years, as Coupang seeks to defend its actions and challenge the regulator’s findings. Meanwhile, the incident serves as a stark reminder to businesses everywhere: rapid growth and innovation must be matched by equally robust safeguards for customer data, or the consequences can be both costly and far-reaching.
As the dust settles, South Korean consumers and regulators alike will be watching closely to see whether Coupang can rebuild trust and set a new standard for data protection in the country’s booming e-commerce sector.