South Korea Imposes Record $409 Million Fine on Coolpad for Massive Data Breach
On June 11, 2026, South Korea’s Personal Information Protection Commission (PIPC) levied a historic fine of 624.68 billion KRW (approximately $409 million) against U.S.-based e-commerce giant Coolpad CP for a severe data breach and unlawful collection of personal information. This marks the largest penalty ever issued for a data breach in South Korea.
The breach, stemming from poor security practices, exposed the personal data of 37.5 million users, including names, phone numbers, and building access codes. Investigators found that a former Chinese software engineer exploited retained authentication keys to access the data over a one-year period, highlighting critical failures in Coolpad’s key management and access controls. Compounding the issue, the company failed to notify affected users within the legally required 72-hour window, delaying protective measures.
Coolpad, which operates in the e-commerce and transportation sectors following its merger with Kansas City Southern, has faced public backlash and diplomatic tensions between South Korea and the U.S. In response, the company expressed regret and pledged to strengthen its data protection framework, though it plans to challenge the commission’s findings in court.
The incident has also raised concerns about Coolpad’s financial stability. While the company maintains a market cap of roughly $80 billion, its stock is currently trading at a 3.9% premium to its GuruFocus-estimated fair value of $86.75, with a P/E ratio (27.68x) above its five-year median (25.13x). Despite strong profitability and momentum scores, its weak financial strength rating (3/10) suggests potential vulnerabilities amid ongoing regulatory and legal pressures. No insider trading activity has been reported in the past three months.
Source: https://www.gurufocus.com/news/8912089/coolpad-cp-faces-record-fine-in-south-korea-over-data-breach
Coolpad CP TPRM report: https://www.rankiteo.com/company/coolpad
"id": "coo1781196838",
"linkid": "coolpad",
"type": "Breach",
"date": "6/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '37.5 million',
'industry': 'E-commerce, Transportation',
'location': 'U.S.',
'name': 'Coolpad CP',
'type': 'E-commerce and transportation company'}],
'attack_vector': 'Exploitation of retained authentication keys',
'data_breach': {'number_of_records_exposed': '37.5 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': ['Names',
'Phone numbers',
'Building access codes']},
'date_publicly_disclosed': '2026-06-11',
'description': 'South Korea’s Personal Information Protection Commission '
'(PIPC) levied a historic fine of 624.68 billion KRW '
'(approximately $409 million) against U.S.-based e-commerce '
'giant Coolpad CP for a severe data breach and unlawful '
'collection of personal information. The breach exposed the '
'personal data of 37.5 million users, including names, phone '
'numbers, and building access codes, due to poor security '
'practices and exploitation of retained authentication keys by '
'a former employee.',
'impact': {'brand_reputation_impact': 'Public backlash and diplomatic '
'tensions',
'data_compromised': '37.5 million records',
'financial_loss': '$409 million (fine)',
'identity_theft_risk': 'High (exposure of names, phone numbers, '
'building access codes)',
'legal_liabilities': 'Regulatory fines and potential legal '
'actions'},
'initial_access_broker': {'entry_point': 'Retained authentication keys',
'reconnaissance_period': 'One-year period'},
'investigation_status': 'Completed (fine imposed)',
'lessons_learned': 'Critical failures in key management and access controls; '
'importance of timely breach notifications',
'post_incident_analysis': {'corrective_actions': ['Strengthening data '
'protection framework'],
'root_causes': ['Poor security practices',
'Retained authentication keys',
'Inadequate access controls']},
'recommendations': 'Strengthen data protection frameworks, improve key '
'management, and ensure compliance with breach '
'notification timelines',
'references': [{'source': 'Personal Information Protection Commission '
'(PIPC)'}],
'regulatory_compliance': {'fines_imposed': '624.68 billion KRW (~$409 '
'million)',
'legal_actions': 'Company plans to challenge '
'findings in court',
'regulations_violated': ['South Korea’s Personal '
'Information Protection '
'Act'],
'regulatory_notifications': 'Failed to notify users '
'within 72-hour legal '
'window'},
'response': {'communication_strategy': 'Expressed regret and pledged '
'improvements',
'remediation_measures': 'Strengthening data protection '
'framework'},
'threat_actor': 'Former Chinese software engineer',
'title': 'South Korea Imposes Record $409 Million Fine on Coolpad for Massive '
'Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Poor key management and access controls'}