Coupang fined record $409 million for data breach in Korea
▼ Summary
– South Korea’s PIPC fined Coupang a record 624.6 billion won ($409 million) for a data breach affecting over 37 million customers, with subsidiary Coupang Fulfillment Service fined an additional 248 million won.
– The breach resulted from inadequate security practices, including failures in authentication key management and access controls, leading to the leak of 37.55 million people’s personal information.
– PIPC also cited violations of data destruction and leak-notification requirements, interference with the data protection officer’s independence, and obstruction of the investigation.
– The primary suspect is a 43-year-old Chinese national and former Coupang IT employee who accessed millions of accounts and attempted to destroy evidence by disposing of a laptop in a river.
– Coupang plans to pay 1.685 trillion won and distribute 50,000 won vouchers per customer in January 2026 to compensate over 33 million affected customers.
South Korea’s data protection watchdog, the Personal Information Protection Commission (PIPC), has imposed a record-breaking fine of 624.6 billion won (approximately $409 million) on e-commerce giant Coupang after a major data breach exposed the personal data of over 37 million customers.
The PIPC also levied a separate fine of 248 million won on subsidiary Coupang Fulfillment Service for illegally collecting, using, and handling sensitive customer data. Investigators determined that the leak stemmed from inadequate security protocols, including failures in authentication key management and access control systems.
Beyond the breach itself, regulators cited violations of data destruction and leak-notification requirements, along with interference in the independence of Coupang’s data protection officer and obstruction of the investigation.
“Personal information of approximately 37.55 million people leaked due to insufficient basic safety management system, including negligence in authentication signature key management and access control,” the PIPC stated. “Regarding Coupang’s violation of safety measure obligations and collection of personal information without legal basis, a fine of 624.681 billion won and a fine of 16.8 million won were imposed, as well as corrective orders, announcements, and publication orders.”
Coupang, an American online retailer operating primarily in South Korea, employs 95,000 people and posts annual revenues exceeding $30 billion. In late December, the company announced plans to pay 1.685 trillion won (about $1.17 billion) in compensation and to begin distributing single-use purchase vouchers worth 50,000 won (roughly $34) per customer starting in January 2026, covering over 33 million affected users.
The breach, one of the worst in South Korea’s history, occurred in late June but was only discovered in mid-November, when Coupang warned that 33.7 million accounts had been compromised. Authorities later identified the primary suspect as a 43-year-old Chinese national who worked in Coupang’s IT department from 2022 to 2024.
According to South Korean investigators, the former employee returned multiple hard drives containing sensitive data and attempted to destroy evidence by discarding a MacBook Air laptop in a river, though the device was later recovered. Coupang added that while the suspect accessed millions of accounts, they retained data for only about 3,000 accounts, and that this information was deleted from all devices without being transferred elsewhere.
In a separate incident, SK Telecom, South Korea’s largest mobile network operator, warned customers in April that sensitive USIM data had been exposed after malware infected its network. The company later confirmed the malware had been active since June 2022, ultimately affecting 27 million subscribers,nearly its entire customer base.
(Source: BleepingComputer)
