THE WHAT? South Korea has imposed a record 625 billion won (US$409.3 million) fine on e-commerce giant Coupang for a large-scale customer data breach and unlawful collection of personal information, marking the country’s largest-ever penalty for a data protection violation.
THE DETAILS The Personal Information Protection Commission (PIPC) found that Coupang leaked the personal data of more than 33 million customers and failed to identify the breach within the legally required 72-hour timeframe. The regulator said the incident stemmed from inadequate security measures rather than sophisticated cyberattacks. A government investigation previously determined that a former employee had stolen a security key, enabling unauthorised access to customer accounts. Regulators also found that Coupang’s systems allowed continued access to customer data even after the individual had left the company. In a separate finding, the company was accused of illegally collecting online activity data from around 11 million customers through a marketing programme without obtaining proper consent. The fine represents approximately 1.4% of Coupang’s 2025 revenue of 45 trillion won. Coupang apologised for the incident but said its efforts to mitigate harm were not fully reflected in the regulator’s decision.
THE WHY? The penalty underscores growing regulatory scrutiny of data privacy and cybersecurity practices, particularly for large digital platforms handling vast amounts of consumer information. The case highlights the increasing importance of robust data governance, security controls and regulatory compliance as authorities seek to strengthen consumer protection and accountability in the digital economy.
Source: Inside Retail
