South Korea Fines Coupang a Record $409 Million for Exposing 37.5 Million People's Data and Tracking Users Without Consent

South Korea's Personal Information Protection Commission issued a record 624.68 billion won fine to Coupang today — approximately $409 million at current exchange rates — for a data breach that exposed the personal information of 37.5 million people and the unauthorized collection of browsing data from 11.17 million additional users. The penalty is the largest ever levied by a Korean government agency in a data privacy case, surpassing the previous record held by SK Telecom.

The fine covers two distinct violations. The primary component — 423.58 billion won — is for the data breach itself, which the PIPC attributed to "negligent management" rather than an external attacker bypassing sophisticated security. The secondary component — 201.11 billion won — covers Coupang's unauthorized collection of online activity records from users who visited third-party websites, conducted without their knowledge or consent. Coupang's logistics subsidiary, Coupang Fulfillment Services, received a separate fine of 248 million won for unlawfully collecting personal information to maintain an employment restriction list.

What Happened

The breach was the result of basic security failures rather than an advanced persistent threat. The PIPC's investigation found that Coupang failed to maintain adequate management of its authentication signing keys and operated with weak access controls across its data systems. The signing key failures allowed unauthorized access to customer data without the kind of brute-force or credential-stuffing attack that typically characterizes large breaches. The PIPC characterized this as a failure of fundamental data governance — the kind that large platforms in every jurisdiction are expected to have solved years ago.

The 37.5 million affected individuals represent a significant fraction of South Korea's total population of approximately 51.7 million. Given that Coupang's customer base skews toward adults with internet access and disposable income — the core e-commerce demographic — the breach's real coverage of the country's active adult population is considerably higher than the raw percentage suggests. The exposed data includes names, email addresses, and other personal information, though the PIPC has not disclosed the full scope of fields compromised in the breach.

The unauthorized tracking component was a separate practice. Coupang collected browsing records from approximately 11.17 million users as those users visited third-party websites — not Coupang's own platforms. This type of cross-site tracking without explicit user consent has drawn regulatory attention across multiple jurisdictions over the past five years. In the EU, similar practices have generated significant GDPR fines against Meta, Google, and others. South Korea's PIPA (Personal Information Protection Act) includes comparable consent requirements, and the PIPC found that Coupang's tracking was conducted without meeting those requirements.

Why the Fine Is So Large

The 624.68 billion won figure is not just the largest Korean data privacy fine — it is large by any international standard. For context: the EU's largest single GDPR fine to date is Meta's 1.2 billion euro penalty from 2023 for data transfers to the US. South Korea's fine against Coupang, while smaller in absolute euro terms, represents a substantially larger fraction of Coupang's Korean revenue and reflects a deliberate regulatory intent to impose penalties that are economically meaningful rather than formulaic.

The PIPC also cited Coupang for three additional violations that are not part of the core financial penalty but have compliance implications: failing to notify affected individuals of the breach within the timeframe required by PIPA, failing to fulfill data deletion obligations for users who had requested deletion before the breach occurred, and interfering with the regulator's inquiry during the investigation process. The last of these is particularly significant — obstruction findings tend to increase regulatory scrutiny on the company going forward and can affect how future violations are treated.

Coupang's Position

Coupang has not issued a detailed public response to the fine as of this publication. The company is South Korea's largest e-commerce operator — equivalent in market position to Amazon in the US or Flipkart in India — and operates Rocket Delivery, its same-day and next-day logistics network, alongside streaming service Coupang Play and food delivery platform Coupang Eats. Coupang listed on the NYSE in 2021 at an initial valuation of approximately $60 billion; the company has since seen its market capitalization contract substantially from that peak.

The company has the right to appeal the PIPC's fine to Korean courts, which is standard practice for penalties of this size. Large corporate data privacy fines in Korea have historically been contested, and the final amount can change through the appeals process. However, the PIPC's investigation and the structural nature of the violations — basic key management failures, systematic unauthorized tracking — leave limited grounds for arguing that the penalties are factually incorrect, as opposed to arguing about the proportionality of the fine amount.

The Regulatory Context

South Korea has been significantly more aggressive in data privacy enforcement over the past two years than its historical record suggested it would be. The PIPC was restructured in 2023 to give it greater independence from industry influence and expanded enforcement authority. The Coupang fine follows earlier penalties against SK Telecom (for a separate breach), Kakao, and several foreign platforms operating in Korea.

The international dimension is relevant because Coupang's largest shareholder is SoftBank, which holds a substantial stake, and the company has significant US investor exposure through its NYSE listing. A $409 million fine — even if partially reduced on appeal — is a material financial event. It also arrives as Coupang has been investing heavily in international expansion, including entry into Taiwan and continued development of its Japanese operations. Regulatory penalties of this scale impose both direct financial cost and indirect compliance cost, as the company must now demonstrate to the PIPC's satisfaction that its data governance practices have been fundamentally reformed.

For other large platforms operating in Korea — both domestic and foreign — today's fine is a clear signal. The PIPC has demonstrated both the willingness and the legal authority to impose fines at a scale that requires executive attention, not just compliance team remediation.