Key Takeaways:
- South Korea fined Coupang a record $409 million over a massive data breach.
- Personal data of nearly two-thirds of South Korea’s population was exposed.
- The penalty could heighten U.S.-South Korea tensions over tech regulation.
South Korea fined ecommerce giant Coupang 624.6 billion won ($409 million) on Thursday after the Coupang data breach, a cyberattack that exposed personal information belonging to nearly two-thirds of the country’s population.
The penalty, imposed by South Korea’s Personal Information Protection Commission, is the largest fine ever issued against a single company for a data breach in the country. Regulators said Coupang failed to implement sufficient safeguards to detect and respond to unauthorized access to customer data.
Regulators cite security failures
The commission said a monthslong investigation into the Coupang data breach found weaknesses in the company’s cybersecurity controls.
“The company neglected to implement adequate measures to detect and respond to unauthorized external access,” Song Kyung-hee, a senior commission official, told reporters.
According to regulators, the Coupang data breach occurred after a former employee used a private encryption key that remained active after leaving the company.
Of the total penalty, 423.6 billion won was linked directly to the data breach, while 201 billion won was imposed for collecting and using customer information without obtaining proper consent, according to the commission.
Company plans legal challenge
Coupang said it disagreed with the ruling and intends to challenge the decision through legal channels.
The company said it was “regrettable” that measures implemented after the breach and its explanations were “not sufficiently reflected” in the commission’s findings.
“We look forward to the facts being clearly clarified through legal proceedings after receiving the official resolution,” the company said in a statement.
Founded in 2010 by Korean-American entrepreneur Bom Kim, Coupang grew into South Korea’s largest ecommerce platform through its overnight “rocket delivery” service. Backed by SoftBank, the company serves about 25 million active members across online retail, food delivery, and streaming services.
The company reported sales of 49 trillion won in 2025. However, it posted a $242 million operating loss in the first quarter and warned that security concerns could slow revenue growth this year.
Breach sparks political and trade concerns
The delayed disclosure of the Coupang data breach triggered public criticism and prompted some customers to leave the platform.The chief executive of Coupang’s South Korean subsidiary resigned following the incident.
President Lee Jae Myung described the case as a warning about the need for stronger cybersecurity protections across the country.
The case also attracted international attention because Coupang is incorporated in Delaware, although it generates most of its revenue in South Korea. A group of investors previously petitioned the United States government to investigate the penalty under trade laws, arguing that American companies could face unfair treatment abroad. The petition was later withdrawn.
Legal experts said the size of the fine could add pressure to relations between Seoul and Washington as governments increasingly scrutinize large technology companies.
“The fine’s unprecedented amount is likely to fuel Washington’s suspicion that U.S. companies are being targeted in Korea,” said Lee Jae-min, a law professor at Seoul National University. “It could increase tensions unless Seoul thoroughly explains how the penalty was calculated.”
Under South Korean law, companies that fail to maintain adequate data protection measures can face penalties of up to 3% of revenue. Authorities may also seek punitive damages when breaches result from gross negligence or willful misconduct.
