Coupang Data Breach Results in Record Fine
South Korea's Personal Information Protection Commission (PIPC) has imposed a record 624.7 billion won ($409 million) fine on Coupang, the country's largest online retailer, after an investigation into a data breach that compromised the personal information of tens of millions of customers.
Breach Details
The breach first became public in November when Coupang said approximately 33.7 million customer accounts had been compromised — equivalent to around 65% of South Korea's entire population. The PIPC's investigation confirmed that 33,222,472 registered members were affected, but also identified a category of victims the company had not previously acknowledged: at least 4,338,368 non-members whose names, phone numbers and addresses had been stored as delivery recipients by other customers, and who had no way of knowing their data was held by Coupang at all.
The perpetrator, an unnamed Chinese national and former employee who left the company at the end of 2024, had himself developed Coupang's alternative authentication system while still employed and had stolen the signing key that underpinned it before he left. He began with a test run in January 2025, using the stolen key on 95 accounts. From April, he systematically cycled through member ID numbers, hitting Coupang's delivery address page approximately 148 million times over two months to harvest names, phone numbers and addresses.
Regulatory Response
The PIPC found that throughout the seven-month attack, traffic on the affected pages had spiked to many times their normal levels, and that tens of millions of access attempts had used non-existent member IDs. Coupang detected none of it until a customer forwarded one of the extortion emails. The commission referred Coupang for criminal prosecution over the destruction of evidence.
Regulators had ordered the preservation of access logs on November 21 — the day after Coupang filed its initial breach report, but six days later, the company manually deleted approximately six months of web access logs. Coupang also failed to pause its routine policy of automatically deleting logs after six months, allowing further records to be wiped. Roughly 13% of the logs covering the attack period were lost, making it impossible to identify all affected victims.
Additional Violations
The investigation, expanded in January 2026 following parliamentary hearings and media coverage, unearthed several violations separate from the breach itself. Through its “Coupang Partners” affiliate marketing program, the company had covertly collected the third-party browsing activity of about 11.2 million users — URLs visited, app names, timestamps, IP addresses and device identifiers — without consent, linking the data to individual member accounts.
Coupang argued the information did not constitute personal data; the regulator disagreed, noting it was stored alongside member ID numbers and device identifiers. The commission imposed a further 201.1 billion won ($132 million) fine for this violation alone. Coupang deleted the records in April 2026 after investigators confronted the company.
Company Response
Coupang said it regretted the PIPC's decision and reserved the right to challenge it through legal proceedings once it receives the formal written ruling. Dispute mediation proceedings covering more than 2,500 individual and group claimants, which had been paused during the investigation, are set to resume on June 12. A class-action lawsuit in the United States also remains pending.
Coupang's shares have fallen around 35% since the start of the year. The company has warned that revenue growth could slow, and faces ongoing scrutiny from South Korean lawmakers over both the breach and its response to it.
Source: The Record