South Korea fines Coupang $409 million for massive data breach and misleading ads

South Korea’s Personal Information Protection Commission fined Coupang 624.7 billion won (about $409 million) on June 11 for a large-scale data breach exposing personal information of roughly 37.5 million users, about two-thirds of South Korea’s population ^{[1, 2, 3, 4, 5, 6]}. The breach was caused by poor basic cybersecurity practices, including lax access controls and improper management of authentication keys, which allowed a former employee undetected access to customer data over several months ^{[1, 2, 3, 7, 4, 8]}.

Kyung Hee Song, Chairperson of the commission, said, "This incident was caused not by a sophisticated hacking method, but by Coupang’s inadequate basic safety management system and negligent management." She added the company’s protections failed to keep pace with its rapid growth using large-scale customer data ^{[1, 7, 4]}.

The commission also found that Coupang illegally collected and stored identifiable data on about 11.7 million users’ online activity from third-party websites and apps without consent ^{[2, 5, 6]}. The company delayed notifying affected users beyond the required 72 hours and obstructed investigations, worsening the impact on customers ^{[2, 4, 6]}. Song said the delay deprived individuals of the chance to take precautionary steps to prevent further harm ^[4].

In addition to the data breach fine, the South Korea Fair Trade Commission fined Coupang 5 billion won (about $33,000) on June 9 for misleading advertisements tied to its paid membership discount offers between 2020 and 2022 ^{[9, 10]}.

South Korean lawmakers criticized U.S. political pressure on their investigation of Coupang, which is listed in the U.S. but operates mainly in South Korea ^{[1, 2, 4]}. Coupang responded that it regrets the commission did not fully reflect its efforts to prevent secondary harm and plans to challenge the ruling in court ^{[2, 7, 4]}.

After issuing customer vouchers following the breach, Coupang said it expects slower revenue growth in 2026. Its shares have fallen about 35% since early 2026 ^{[1, 7]}.

The Personal Information Protection Commission ordered Coupang to strengthen security measures, notify non-members whose data was leaked, and revise policies for handling data of former customers ^{[6, 11]}. Enforcement and compliance monitoring will follow as the company addresses these requirements.