South Korea’s Personal Information Protection Commission (PIPC) has levied a penalty surcharge of Won624.68bn ($411.19m) on e-commerce company Coupang, marking the largest penalty ever imposed in the country for a personal data breach.
Of the total amount, Won423.6bn relates directly to the leak of customer data while a further Won201.1bn has been imposed for the unauthorised or non-consensual collection of personal information
The PIPC also issued a separate administrative fine of Won16.8m, alongside corrective orders, a publication order and a directive requiring Coupang to make the disposition public. The commission said the breach compromised the personal details of around 37.55 million users, including names, email addresses, phone numbers and home addresses, with the exposure occurring between April and November 2025. Investigators concluded that the breach stemmed from weaknesses in the company’s security practices, citing poor handling of authentication signing keys and insufficient access controls, rather than the result of a sophisticated cyberattack.
The PIPC also found separate privacy breaches by Coupang Fulfillment Services, for which it imposed an additional penalty surcharge of Won248m. The case stems from a months-long investigation that PIPC launched in November 2025, following reports that surfaced that month alleging the data breach had occurred. Responding to the ruling, Coupang said it regretted the concern caused, but argued that the steps it had taken to limit secondary harm and its own explanations had not been adequately considered in the commission’s findings.