Coupang hit with record 624.7 billion won fine by Korean regulator over privacy violations

Coupang delivery trucks sit in a lot in Seoul. (Choi Hyeon-su/Hankyoreh)

South Korea’s data protection regulator has imposed a record 624.7 billion won (US$410 million) fine on e-commerce giant Coupang, along with an additional 16.8 million won penalty, for privacy violations in the watchdog’s biggest-ever sanction against a Korean or foreign conglomerate.The regulator also found that Coupang had unlawfully collected and saved the user activity records of around 11.17 million users. Korea’s Personal Information Protection Commission (PIPC) said Thursday that Coupang’s negligence in managing the key management system used to access its internal servers allowed a former employee at Coupang to conduct a cyber attack and leak the information of approximately 37.5 million individuals: 33.22 million members and 4.33 million non-members.This number is 3.88 million higher than that announced during the joint private-government investigation into Coupang’s data breach case in February.The PIPC investigation discovered a large number of victims who did not have registered Coupang accounts. A total of 63.98 million pieces of information related to delivery addresses — including the names, phone numbers, and addresses of family members and friends registered on members’ delivery address management pages — as well as apartment building entrance passwords that had been de-identified with special characters, were leaked.Some of those account-holders’ pages included 4,226 apartment entrance passwords that had not been de-identified, which were then directly accessed by the hacker. In addition, the investigation found that approximately 270,000 order records, which included the dates of the orders as well as the names, quantities, and prices of the products ordered, belonging to about 58,000 people, were exposed.Sensitive order information was also included in the second blackmail email sent to Coupang by the hacker in November 2025, including the members’ purchase histories for adult toys and underwear.However, Coupang caused widespread confusion when it announced that the data breach had only affected 3,000 people, relying solely on the hacker’s testimony during its internal investigation into the incident in December without verifying facts.On top of everything, the PIPC uncovered illegal personal information collection practices at the e-commerce giant. The commission's investigation confirmed that Coupang collected and stored the online activity records of 11,176,130 members who accessed external websites and apps that featured Coupang’s advertisements, all without any legitimate legal grounds.Coupang issued a statement on Thursday expressing regret that the PIPC “did not reflect our preemptive measures taken to prevent secondary damage related to the crisis and the explanations based on clear factual relationships in its decision.” The company indicated its intention to take legal action, such as filing an administrative lawsuit to challenge the fine. By Sun Dam-eun, staff reporter; Seo Hye-mi, staff reporterPlease direct questions or comments to [english@hani.co.kr]