South Korea just handed down the largest data protection fine in its history, and the recipient is the country’s most dominant e-commerce company. Coupang, often called “South Korea’s Amazon,” was slapped with a 624.7 billion won penalty, roughly $409 million, for a breach that exposed the personal information of over 33.67 million users.
To put that number in perspective, South Korea’s total population is around 51 million. That means roughly two-thirds of every person in the country had their data compromised.
What happened, and how did it get this bad
The breach traces back to a former Coupang engineer who exploited a cryptographic signing key, gaining unauthorized access to user data over a period of several months, starting around April to June 2025.
The exposed data included names, email addresses, phone numbers, physical addresses, and order histories. Payment data and passwords were reportedly not compromised.
Coupang officially acknowledged the breach on November 17, 2025. The company then took 48 hours to report the incident to regulators, missing a legally mandated 24-hour reporting window. That delay became a central factor in the severity of the punishment.
South Korea’s Personal Information Protection Commission, known as PIPC, launched an investigation that concluded in May 2026. The probe determined the breach was predominantly the result of internal management failures. The fine was formally delivered on June 11, 2026.
The previous record fine in South Korea for a data protection violation was 134.8 billion won. Coupang’s penalty is nearly five times that amount.
The billion-dollar cleanup
The fine itself is just one piece of Coupang’s financial exposure. In December 2025, the company announced a compensation plan for affected customers totaling approximately 1.7 trillion won, or about $1.2 billion.
Combined with the regulatory penalty, Coupang is looking at a total cost north of $1.6 billion from a single security incident.
The PIPC noted that maximum fines under South Korean data protection law can reach 3% of relevant revenue. The 624.7 billion won figure suggests regulators calculated the penalty to be punitive but not existential.
What this means for investors
The scale of the fine relative to previous penalties signals a clear escalation in how South Korean regulators approach enforcement, with the Coupang penalty coming in at nearly five times the prior record of 134.8 billion won.
The $1.2 billion compensation plan on top of the 624.7 billion won fine creates a combined financial hit that dwarfs what most companies budget for incident response.
The breach originated from an insider exploiting a cryptographic signing key, not an external attack, highlighting that internal access management and employee offboarding protocols carry material security risk alongside external cybersecurity spending.