Pull to refresh
Logo
Daily Brief
Following Why Ranks Sign Up
South Korea fines Coupang record sum over data breach

South Korea fines Coupang record sum over data breach

Rule Changes

A former engineer's retained signing key exposed data on most of the country, and the privacy regulator answered with the largest fine in its history.

Yesterday: Record $409 million fine imposed

Overview

South Korea's privacy regulator fined Coupang 624.7 billion won, about $409 million, for a breach that exposed personal data tied to 37.5 million accounts. That is more than 70% of the country's population, and it is the largest data-privacy penalty Korea has ever imposed.

The regulator said the cause was weak security, not clever hacking. A former engineer kept a signing key after leaving, forged login tokens, and roamed customer systems for months before anyone noticed. Coupang says it will fight the fine in court.

Why it matters

If you shopped on Korea's biggest online store, your name, address, phone, and order history were likely exposed, and the company that held them is contesting the bill.

Questions about this story

No questions yet — be the first to ask.

Play on this story Voices Debate Predict Higher or Lower

Key Indicators

$409M
Total fine
Largest data-privacy penalty in South Korean history.
37.5M
Accounts exposed
More than 70% of South Korea's population.
11.17M
Users tracked without consent
Online activity collected across third-party sites and apps.
~7 months
Undetected access
Intruder had access from mid-April to early November 2025.
$1.2B
Compensation pledged
Coupang's 1.7 trillion won plan to restore customer trust.

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Log in Sign Up

Play

Exploring all sides of a story is often best achieved with Play.

Log in to play. Track your picks, climb the leaderboards. Log in Sign Up
Predict 3 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play
Higher or Lower Two numbers from this story. Guess which is bigger. 5 rounds to set a streak. Log in to play
Timeline Five events from this story — drag them oldest to newest. Log in to play
Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

People Involved

Song Kyung-hee
Song Kyung-hee
Led the enforcement action and public findings
 Bom Kim
Bom Kim
Apologized publicly; company is contesting related rulings
 Harold Rogers
Harold Rogers
Represented Coupang before US lawmakers

Organizations Involved

Coupang
Coupang
E-commerce Company
Fined; pledging court challenge

South Korea's largest online retailer, listed on the New York Stock Exchange and headquartered in part in Seattle.
Personal Information Protection Commission
Personal Information Protection Commission
Federal Privacy Regulator
Issued the fine

South Korea's data-privacy regulator, with power to investigate breaches and levy penalties.

Timeline

November 2024 June 2026

9 events Latest: Yesterday
Tap a bar to jump to that date

  1. Record $409 million fine imposed

    Latest Legal

    The PIPC fines Coupang 624.7 billion won, splitting it between the leak and unauthorized tracking of 11.17 million users. Coupang vows to appeal.

  2. Korean ministry calls it a management failure

    Investigation

    The Ministry of Science and ICT concludes the breach stemmed from poor management, not a sophisticated cyberattack.

  3. US investors file trade petition

    Trade

    Two US investment firms file a Section 301 petition with the US Trade Representative, alleging discrimination against American companies.

  4. Coupang pledges $1.2 billion compensation

    Response

    The company announces a 1.7 trillion won plan to compensate affected customers and rebuild trust.

  5. Scale revealed: 33.7 million accounts

    Disclosure

    Coupang publicly discloses that roughly 33.7 million user accounts were compromised in the breach.

  6. Breach reported late to authorities

    Regulatory

    Coupang notifies regulators more than 53 hours after discovery, past the required reporting window.

  7. Coupang discovers the intrusion

    Detection

    The company finds the unauthorized access after the former employee sends threatening anonymous emails. Initial estimate: about 4,500 accounts.

  8. Unauthorized access begins

    Breach

    The former engineer allegedly forges authentication tokens and starts accessing customer systems, continuing into November.

  9. Engineer leaves with access to signing key

    Origin

    A Coupang engineer who helped build a backup authentication system departs the company, retaining an internal signing key.

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

2025

SK Telecom data breach fine (2025)

South Korea's largest mobile carrier suffered a breach and drew an $88 million penalty, then the biggest privacy fine in the country. Regulators cited weak safeguards over subscriber data.

Then

The fine set the prior national ceiling for privacy penalties and pushed carriers to harden systems.

Now

It established that Korean regulators would scale fines to the size of the data holder, setting up an even larger Coupang penalty.

Why this matters now

Coupang's fine is more than four times the SK Telecom mark, showing how fast Korea's privacy penalties are climbing.

September 2017

Equifax data breach (2017)

Attackers exploited an unpatched flaw at credit bureau Equifax and exposed sensitive data on about 147 million Americans. The cause was a known vulnerability left unfixed, not a novel hack.

Then

Equifax's CEO resigned and the company faced a wave of investigations and lawsuits.

Now

A 2019 settlement reached up to $700 million, becoming a reference point for breach penalties tied to basic security lapses.

Why this matters now

Like Coupang, Equifax was punished for preventable failures rather than sophisticated attacks, and both fines turned on negligence.

May 2023

Meta GDPR fine over data transfers (2023)

Ireland's privacy regulator fined Meta 1.2 billion euros over transfers of European user data to the US, the largest penalty under the EU's data-protection law at the time.

Then

Meta was ordered to suspend the transfers and given a deadline to comply.

Now

The case showed regulators willing to impose record fines on global tech firms and to treat data handling as a sovereignty issue.

Why this matters now

Both cases show national regulators using record fines against large platforms, and both raised cross-border friction over data.

Sources

(7)
+1
TechCrunch Nikkei Asia South China Morning Post The Korea Herald The Korea Times Korea Economic Institute of America TechCrunch