South Korea Fines Coupang $460 Million for Massive Data Breach and Employee Data Misuse
On June 12, 2026, South Korea’s Personal Information Protection Commission (PIPC) imposed a record fine of 624.7 billion won ($460 million) on e-commerce giant Coupang for a series of data protection violations, including a breach exposing the personal information of 37.55 million users. The fine stems from a 2025 incident in which a former employee exploited weak authentication controls to access and leak sensitive data.
The investigation also revealed that Coupang’s Coupang Partners advertising business collected and stored browsing records from 11.17 million users across third-party websites and apps without consent. Additionally, the PIPC found that Coupang had failed to prevent "hijack advertising" a practice where users were forcibly redirected to Coupang’s platform without clicking ads despite being aware of the issue. The company was ordered to strengthen oversight of its advertising partners.
Further violations involved Coupang Fulfillment Service (CFS), a subsidiary fined 248 million won for misusing employee data. CFS blacklisted 71 National Police Agency press corps journalists none of whom had worked at its logistics centers on an employment-restriction list. It also used employee weight data, collected for health management, in industrial accident litigation, violating privacy protections.
In response, Coupang issued an apology, acknowledging public concern but expressing disappointment that its post-breach remediation efforts were not fully considered in the PIPC’s decision. The case highlights growing regulatory scrutiny over data security, consent violations, and corporate misuse of personal information in South Korea.
Coupang cybersecurity rating report: https://www.rankiteo.com/company/coupang
"id": "COU1781504806",
"linkid": "coupang",
"type": "Breach",
"date": "1/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'customers_affected': '37.55 million users',
'industry': 'Retail/E-commerce',
'location': 'South Korea',
'name': 'Coupang',
'size': 'Large',
'type': 'E-commerce Company'},
{'customers_affected': '11.17 million users',
'industry': 'Digital Advertising',
'location': 'South Korea',
'name': 'Coupang Partners',
'size': 'Subsidiary',
'type': 'Advertising Business'},
{'industry': 'Logistics',
'location': 'South Korea',
'name': 'Coupang Fulfillment Service (CFS)',
'size': 'Subsidiary',
'type': 'Logistics Subsidiary'}],
'attack_vector': 'Insider Threat (Former Employee)',
'customer_advisories': 'Public apology issued by Coupang',
'data_breach': {'data_exfiltration': 'Yes (by former employee)',
'number_of_records_exposed': '37.55 million (users) + 11.17 '
'million (browsing records)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, browsing history, '
'employee data)',
'type_of_data_compromised': ['Personal Information',
'Browsing Records',
'Employee Data']},
'date_detected': '2025',
'date_publicly_disclosed': '2026-06-12',
'description': 'South Korea’s Personal Information Protection Commission '
'(PIPC) imposed a record fine of 624.7 billion won ($460 '
'million) on e-commerce giant Coupang for a series of data '
'protection violations, including a breach exposing the '
'personal information of 37.55 million users. The fine stems '
'from a 2025 incident in which a former employee exploited '
'weak authentication controls to access and leak sensitive '
'data. The investigation also revealed unauthorized data '
'collection, hijack advertising, and misuse of employee data '
'by Coupang and its subsidiaries.',
'impact': {'brand_reputation_impact': 'Significant (public apology issued)',
'data_compromised': "37.55 million users' personal information, "
"11.17 million users' browsing records",
'financial_loss': '$460 million (fine)',
'identity_theft_risk': 'High (personal information exposed)',
'legal_liabilities': 'Fines imposed, potential legal actions',
'operational_impact': 'Regulatory scrutiny, reputational damage, '
'mandatory oversight of advertising partners',
'systems_affected': ['Coupang Platform',
'Coupang Partners Advertising Business',
'Coupang Fulfillment Service (CFS)']},
'investigation_status': 'Completed (PIPC ruling issued)',
'lessons_learned': 'Need for stronger authentication controls, consent-based '
'data collection, and oversight of subsidiaries and '
'advertising partners. Importance of preventing insider '
'threats and misuse of employee data.',
'motivation': ['Data Exfiltration',
'Unauthorized Data Collection',
'Corporate Misconduct'],
'post_incident_analysis': {'corrective_actions': ['Strengthened oversight of '
'advertising partners',
'Post-breach remediation '
'efforts (e.g., policy '
'updates)'],
'root_causes': ['Weak authentication controls',
'Unauthorized data collection '
'without consent',
'Misuse of employee data',
'Lack of oversight of advertising '
'partners']},
'recommendations': ['Implement multi-factor authentication',
'Enhance monitoring of employee data access',
'Ensure explicit user consent for data collection',
'Strengthen oversight of third-party partners',
'Review and update privacy policies'],
'references': [{'source': 'Personal Information Protection Commission '
'(PIPC)'}],
'regulatory_compliance': {'fines_imposed': ['624.7 billion won ($460 million) '
'for Coupang',
'248 million won for CFS'],
'regulations_violated': ['South Korea’s Personal '
'Information Protection '
'Act'],
'regulatory_notifications': 'PIPC investigation and '
'ruling'},
'response': {'communication_strategy': 'Public apology issued',
'remediation_measures': 'Strengthened oversight of advertising '
'partners, post-breach remediation '
'efforts (not fully considered by PIPC)'},
'threat_actor': 'Former Employee',
'title': 'South Korea Fines Coupang $460 Million for Massive Data Breach and '
'Employee Data Misuse',
'type': ['Data Breach', 'Privacy Violation', 'Employee Data Misuse'],
'vulnerability_exploited': 'Weak Authentication Controls'}