Coupang: South Korea privacy regulator to fine Coupang $409 mln over data breach

South Korea’s Privacy Regulator Imposes $409 Million Fine on Coupang Over Massive Data Breach

South Korea’s Personal Information Protection Commission (PIPC) has announced a record $409 million (550 billion KRW) fine against e-commerce giant Coupang for a 2023 data breach that exposed the personal information of over 10 million customers. The penalty, the largest ever issued by the PIPC, stems from the company’s failure to implement adequate security measures, leading to unauthorized access to sensitive user data.

The breach, detected in June 2023, involved the theft of customer names, phone numbers, email addresses, and partial payment details. Investigators found that Coupang had neglected basic cybersecurity protocols, including weak encryption and insufficient access controls, allowing attackers to exploit vulnerabilities in its systems. The PIPC also criticized the company for delayed breach notifications, which violated South Korea’s strict data protection laws.

Coupang, a major player in South Korea’s e-commerce market, has faced growing scrutiny over its data handling practices. The fine underscores the regulator’s increasingly aggressive stance on corporate accountability in cybersecurity. While the company has since strengthened its security infrastructure, the incident has raised concerns about the broader risks of data mismanagement in the region’s digital economy.

The case sets a precedent for future enforcement actions, signaling that even industry leaders will face severe consequences for lapses in protecting consumer data.

Source: https://www.tradingview.com/news/reuters.com,2026:newsml_P8N41V085:0-south-korea-privacy-regulator-to-fine-coupang-409-mln-over-data-breach/

Coupang TPRM report: https://www.rankiteo.com/company/coupang

"id": "cou1781144709",
"linkid": "coupang",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Over 10 million',
                        'industry': 'Retail/E-commerce',
                        'location': 'South Korea',
                        'name': 'Coupang',
                        'type': 'E-commerce company'}],
 'attack_vector': 'Exploited system vulnerabilities',
 'data_breach': {'data_encryption': 'Weak encryption',
                 'number_of_records_exposed': 'Over 10 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information and payment details)',
                 'type_of_data_compromised': ['Customer names',
                                              'Phone numbers',
                                              'Email addresses',
                                              'Partial payment details']},
 'date_detected': '2023-06',
 'description': 'South Korea’s Personal Information Protection Commission '
                '(PIPC) imposed a $409 million fine on e-commerce giant '
                'Coupang for a 2023 data breach that exposed the personal '
                'information of over 10 million customers. The breach involved '
                'unauthorized access to sensitive user data due to inadequate '
                'security measures, including weak encryption and insufficient '
                'access controls. The PIPC also criticized delayed breach '
                'notifications.',
 'impact': {'brand_reputation_impact': 'Raised concerns about data '
                                       'mismanagement in the region’s digital '
                                       'economy',
            'data_compromised': 'Personal information of over 10 million '
                                'customers',
            'financial_loss': '$409 million (fine)',
            'legal_liabilities': 'Violation of South Korea’s data protection '
                                 'laws',
            'payment_information_risk': 'Partial payment details exposed'},
 'investigation_status': 'Completed (fine imposed)',
 'lessons_learned': 'The incident highlights the importance of implementing '
                    'adequate security measures, including strong encryption '
                    'and access controls, as well as timely breach '
                    'notifications.',
 'post_incident_analysis': {'corrective_actions': ['Strengthened security '
                                                   'infrastructure'],
                            'root_causes': ['Weak encryption',
                                            'Insufficient access controls',
                                            'Neglect of basic cybersecurity '
                                            'protocols']},
 'recommendations': 'Companies should prioritize cybersecurity protocols, '
                    'conduct regular security audits, and ensure compliance '
                    'with data protection regulations to avoid severe '
                    'penalties and reputational damage.',
 'references': [{'source': 'Personal Information Protection Commission '
                           '(PIPC)'}],
 'regulatory_compliance': {'fines_imposed': '$409 million (550 billion KRW)',
                           'regulations_violated': 'South Korea’s data '
                                                   'protection laws'},
 'response': {'communication_strategy': 'Delayed breach notifications',
              'remediation_measures': 'Strengthened security infrastructure'},
 'title': 'Coupang Data Breach and Regulatory Fine',
 'type': 'Data Breach',
 'vulnerability_exploited': ['Weak encryption', 'Insufficient access controls']}