Coupang pledges legal action against record $409 mil. fine over massive data breach

Personal Information Protection Commission Chairperson Song Kyung-hee speaks during a briefing on Coupang's data breach at Government Complex Seoul, Thursday. Yonhap

Coupang was slapped with a record-high fine of 624.7 billion won ($409 million) for a massive data breach involving more than 33 million users, marking the largest privacy penalty in Korea, a regulatory authority said Thursday.

The penalty is roughly equivalent to the e-commerce giant's operating profit of 679 billion won reported last year.

According to the Personal Information Protection Commission, the company was fined 423.6 billion won over the data breach and an additional 201.1 billion won for the unauthorized collection of users' online activity records and other violations.

A joint government-civilian investigation led by the Ministry of Science and ICT concluded that the individual responsible for the breach gained access to the personal information of approximately 37.5 million users.

The latest figure is higher than the 33.7 million accounts identified in February, indicating that additional affected users were uncovered during the subsequent investigation.

The scale of the breach surpasses the previous record from an SK Telecom data leak last year in which 23.2 million users were affected. The authority handed the telecom firm a then-record fine of 134.8 billion won.

Coupang Inc. Chairman Bom Kim poses at the New York Stock Exchange after listing the company, March 11, 2021. AP-Yonhap

“We reached this conclusion based on the facts, evidence and findings of the investigation,” Song Kyung-hee, chairperson of the commission, said in a media briefing. “We did not take into account Coupang’s nationality or any other external factors surrounding the firm,” she said, referring to the fact that the company is headquartered in Seattle and listed on the New York Stock Exchange.

She also underlined that the data breach was found to have resulted not from a sophisticated cyberattack, but from deficiencies in basic security management systems and inadequate oversight.

The high-profile sanction, however, still sparks fears of possible backlash from the United States.

U.S. government officials and Congress members have alleged that the case was not merely an enforcement action under Korea’s data protection law, but represented discriminatory treatment toward a U.S. firm.

In April, a group of U.S. lawmakers sent a letter to the Korean Embassy in Washington, calling for an end to what they described as discriminatory regulations against Coupang.

U.S. Secretary of State Marco Rubio recently said that some actions taken by Korea toward American companies had affected the U.S.’ ability to finalize a tariff agreement. His remarks marked a public acknowledgment by a senior U.S. official that the Coupang issue had influenced trade negotiations between Seoul and Washington.

A delivery truck is parked at a Coupang logistics center in Seoul, Dec. 30, 2025. Korea Times photo by Lim Ji-hoon

Coupang expressed regret over the latest sanction.

“We regret that the commission’s decision did not fully reflect our proactive measures taken to prevent secondary harm following last year’s data leak incident, as well as explanations based on clearly established facts,” Coupang said in a statement.

The company also shared plans to take legal action.

“We look forward to the facts being clearly established through legal proceedings after receiving the official written decision from the authority," the company said, adding that it will further strengthen its personal information protection framework and make every effort to restore customer trust with renewed commitment.

Amid potential diplomatic sensitivities, the Korean government plans to explain the penalty imposed on Coupang to U.S. officials, in an effort to prevent the issue from escalating into another diplomatic dispute between Seoul and Washington.

An official from the Ministry of Foreign Affairs told reporters that the government would continue to uphold its policy of nondiscrimination toward U.S. digital companies, including Coupang.

"The commission conducted its investigation fairly and in accordance with procedures stipulated under domestic law, based on the principle that penalties should be commensurate with responsibility," the official said. "Coupang was given ample opportunity to present its views during the investigation process."

The unprecedented penalty highlights growing regulatory scrutiny over data security in Korea's booming e-commerce sector, setting a stark precedent for corporate cybersecurity accountability.

Under the current Personal Information Protection Act, companies can be fined up to 3 percent of their total sales for data leaks.

An upcoming amendment to the law, scheduled to take effect this September, will raise the maximum penalty to 10 percent of sales in the case of large-scale data breaches. However, Coupang narrowly avoided the tougher penalties as the new regulations cannot be applied retroactively to this case.