Coupang Ecommerce Data Breach Fine Demonstrates the Increasing Level of Seriousness in South Korean Regulation

A record-setting fine just handed down for ecommerce giant Coupang’s 2025 data breach demonstrates that South Korea’s privacy regulators continue to move in an even more strict direction, even as members of Congress in the US applied some strong foreign pressure in favor of leniency.

While the fine did not reach the maximum allowable 3% for data breaches (under present law), it ended up being a little more than 1% of Coupang’s annual revenue and a heavy blow to its profits for the year. It also set a new record for the country; though it was broken up into two pieces, each one was bigger than the prior record amount issued to SK Telecom earlier this year.

Ecommerce giant found at fault, but appeal is forthcoming

Coupang’s total data breach fine comes out to 624 billion won, or about $411 million. Though broken into two smaller fines, each one is individually larger than the 134.8 billion won charged to SK Telecom earlier this year for its extended breach in 2025.

The national Personal Information Protection Act (PIPA) is set to receive an update in September that will increase the maximum fine in these cases to 10%. The ecommerce giant was in no danger of having the clock turn over on them, as the fact that the breach window was in 2025 ensures they stay under the present maximum of 3%. However, the move shows that the Personal Information Protection Commission (PIPC) is not afraid to take a severe bite of an organization’s annual profit if it is found at fault and negligent in its cybersecurity.

The investigation indicates Coupang earned the record fine by missing the mandatory breach reporting window of 72 hours, but more importantly by lacking fundamental security measures to protect key signing and access control. It also initially reported that only about 4,500 records were impacted, revising that to 34 million about two weeks later. The ecommerce company plans to challenge its fine, but given the investigation results and a chain of several data breaches dating back to 2020 it seems that it is in for an uphill battle.

Data breach exposed contact information of nearly all current and former Coupang customers

A long breach window from June to November 2025 allowed the attacker to abscond with the contact information of pretty much everyone who has ever had an account with the ecommerce site. For some added perspective, 34 million is over half of South Korea’s entire population.

The hacker is thought to be a Chinese national and former engineer for the ecommerce site, who has likely fled back home to escape prosecution. They thankfully did not have access to payment information or much in the way of order histories, but they did get the basic contact information associated with each account; certainly enough to give a big boost to targeted fraud and phishing attempts.

A more limited subset of 11.7 million customers may have had “some” of their order history or site activity exposed via apparent unprotected storage with a third party, and Coupang earned a separate 210 billion won fine for that on top of the 423.6 billion for the more general data breach impacting all customers. The incident has already caused major shake-ups at the company, with former CEO Park Dae-jun resigning over it and the stock price taking a 35% hit. It will be interesting to see if new records are set when the 10% annual revenue cap kicks in later this year.