Coupang fined $409 million in South Korea’s largest data breach penalty

The fine amounts to 1.4 per cent of Coupang’s revenue of 45 trillion won in 2025. (Source: Reuters/Dado Ruvic)

By Heejin Kim and Joyce Lee June 11, 2026

Text Size

South Korea will fine e-commerce giant Coupang 625 billion won (US$409.30 million) over a massive leak of customer information last year and illegal collection of personal information, in the country’s largest data breach penalty on a company.

The Personal Information Protection Commission said the New York-listed company had leaked personal data of more than 33 million customers and failed to detect the breach within the 72 hours required by the law.

The fine amounts to 1.4 per cent of Coupang’s revenue of 45 trillion won in 2025, according to Reuters’ calculation.

“This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking,” Song Kyung-hee, the chairperson of the privacy regulator, told a briefing on Thursday.

After the fine was announced, Coupang apologised for having caused concern to the public and its customers.

However, the company said that “we regret that our proactive measures to prevent secondary harm from last year’s data leak incident, as well as our explanations based on clear facts, were not sufficiently reflected” in the regulator’s decision.

Seattle-based Coupang generates most of its revenue in South Korea, offering fast delivery of groceries, food and other goods.

The penalty followed a finding by a government-led investigation earlier this year that blamed the breach on management failure.

South Korea’s science ministry at the time said that a former employee, who was a Chinese national, stole a security key and gained unauthorised access to customer accounts.

Song said Coupang’s security system allowed a hacker to easily access the personal information of all of its customers, even after the suspect left the company.

The firm also failed to detect an unusual increase in traffic to its customer data until it was alerted by a customer’s inquiry, she added.

Separately, the regulator found the company’s marketing program illegally collected information on online activities of around 11 million customers without their agreement, Song said.

Probes into the data breach added to trade friction with Washington amid concerns Korean authorities had gone too far in their treatment of the US-listed company, while the allies have been negotiating details on a trade deal struck last year.

South Korea said, however, its Coupang probe was neither a trade nor security issue and should be handled separately from the ongoing talks with Washington.

The firm is estimated to control about 40 per cent of South Korea’s logistics services, the largest market share among peers, according to Seoul-based IM Securities.

“Coupang has grown its e-commerce service significantly based on vast customer data,” Song said. “But the company did not have a system to protect and manage customer information despite its business scale.”