South Korea has imposed a record fine of more than $400 million on e-commerce giant Coupang after regulators found that a massive data breach exposed the personal information of more than 30 million customers and revealed unlawful data collection practices.

The country’s Personal Information Protection Commission (PIPC) announced on 11 June that Coupang would be fined about 625 billion won ($409 million), the largest penalty ever issued for a data privacy violation in South Korea. According to the regulator, the sanctions cover both the customer data breach and the collection of personal information without users’ consent.

The PIPC found more than 33 million customer records had been exposed and that the company failed to identify the breach within the 72-hour period required by law. The regulator said the penalty represented roughly 1.4 per cent of Coupang’s 2025 revenue.

Song Kyung-hee, chairperson of the PIPC, said: “This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking.” She added that the company’s security arrangements allowed unauthorised access to customer information and failed to detect unusual activity until a customer raised concerns.

The commission imposed a further penalty for the non-consensual collection of information and concluded that weak safeguards, including poor management of authentication keys and access controls, contributed to the exposure of user data. The regulator said approximately 37.5 million users may have been affected.

According to Reuters, investigators separately found that Coupang’s marketing programme collected information about the online activities of around 11 million customers without their agreement. A government investigation earlier this year linked the breach to a former employee who allegedly obtained a security key and accessed customer accounts.

Coupang, which is listed in New York but generates most of its revenue in South Korea, apologised for the incident and said it would challenge the regulator’s findings. The company said: “We regret that our proactive measures to prevent secondary harm from last year's data leak incident, as well as our explanations based on clear facts, were not sufficiently reflected” in the decision.

The ruling follows a lengthy investigation that has become a point of friction between Seoul and Washington, with some US lawmakers and the company criticising the regulatory process. South Korean officials have rejected those criticisms and maintained that the case concerns domestic enforcement of privacy laws.

---