South Korea’s top privacy regulator has slapped the country’s leading e-commerce platform Coupang with a historic fine exceeding $400 million, the largest penalty ever levied for a data breach in the nation, over a 2023 cyber incident that exposed sensitive personal information of more than 37 million users – a figure that equals over half of South Korea’s total population.
The Personal Information Protection Commission (PIPC) announced Wednesday that it is imposing a 624.68 billion won fine on Coupang, finding the company violated two key national privacy regulations: failing to uphold required data safety obligations, and collecting personal user information without proper legal justification. A months-long investigation launched after the breach was first reported last November uncovered critical gaps in Coupang’s cybersecurity infrastructure, including inadequate management of authentication signing keys and poorly implemented access controls. These vulnerabilities created the opening that allowed unauthorized actors to access user data, the regulator confirmed.
The exposed information included full names, contact details, delivery addresses, and complete order histories for affected customers. Widely regarded as South Korea’s equivalent to Amazon, Coupang is the dominant player in the country’s online retail sector. While the company is incorporated in the United States, it generates the vast majority of its revenue from the South Korean market.
When news of the breach first broke in November 2023, Coupang initially reported that only around 4,500 customer accounts had been compromised, and promptly notified regulatory authorities of the incident. Follow-up internal investigations later revised that number dramatically, revealing that nearly 34 million South Korean-based user accounts were likely exposed. The company has acknowledged that the unauthorized access likely began as early as June 2023, originating from an overseas-based server. In the wake of the scandal, Coupang’s then-CEO Park Dae-jun stepped down from his position, issuing a public apology for the security failure. The company’s chief administrative officer Harold Rogers was subsequently named interim chief executive to lead the response.
In a statement to the BBC following the PIPC’s announcement, Coupang expressed that it “deeply regrets the concern caused” by the incident and has committed to overhauling its cybersecurity frameworks to prevent future breaches. However, the company confirmed it intends to contest the regulator’s ruling, arguing that PIPC did not adequately incorporate Coupang’s own explanations and corrective measures into its final decision. “Upon receiving the official resolution from the PIPC, we expect that the facts will be clearly established through legal procedures,” a Coupang spokesperson said.
This record penalty comes at a time when South Korea – a country globally recognized for its advanced digital infrastructure and strict data privacy standards – is grappling with a string of high-profile cybersecurity incidents. Just last year, the nation’s largest mobile operator SK Telecom was hit with a nearly $100 million fine over a separate data breach that compromised the information of more than 20 million subscribers, underscoring growing systemic risks to personal data across major South Korean digital services.