Coupang faces a historic fine of $409 million due to a data breach in South Korea.

      **TL;DR** South Korea’s Personal Information Protection Commission has fined Coupang 624.7 billion won ($409 million) due to a data breach that affected approximately 33.7 million customer accounts. This is the largest penalty for a data breach in South Korean history and has intensified diplomatic tensions between Seoul and Washington.

      South Korea’s privacy authority has imposed a historic fine of 624.7 billion won ($409 million) on the e-commerce company Coupang, marking the highest data breach penalty in the nation’s history. This ruling, issued today by the Personal Information Protection Commission (PIPC), surpasses the previous record of 134.8 billion won set against telecom company SK Telecom last year.

      The fine is a result of a breach that exposed the personal information of over 33.7 million customer accounts, which is about two-thirds of South Korea’s total population. Affected data includes names, email addresses, phone numbers, shipping addresses, and order histories, although payment information was reportedly not compromised.

      **Details of the Breach**

      As reported by Al Jazeera, a former Coupang employee who was a Chinese national unlawfully acquired a cryptographic signing key, allowing unauthorized access to customer data from overseas servers. This breach reportedly went unnoticed for nearly five months, from June to November 2025.

      Coupang identified unusual activity on 18 November 2025 but delayed notifying regulators for 48 hours, exceeding the legal 24-hour reporting requirement. This delay was a key factor in the severity of the punishment, according to PIPC’s findings.

      **Breakdown of the Fine**

      The fine consists of two separate penalties. The PIPC charged 423.6 billion won for the breach itself, highlighting poor management of authentication keys and lenient access controls that permitted a former employee to access customer information long after leaving the company. Additionally, a fine of 201.1 billion won was imposed for the unauthorized collection of online activity data from approximately 11.17 million users who utilized services outside of Coupang’s platform. Coupang’s logistics division, Coupang Fulfillment Services, also incurred an additional fine of 248 million won for related privacy violations.

      **Financial Implications**

      The financial repercussions extend beyond the fine itself. In December 2025, Coupang announced a compensation plan totaling around 1.69 trillion won ($1.17 billion) in platform-only vouchers for affected customers. CEO Park Dae-jun resigned that same month, and the US parent company appointed Harold Rogers as interim chief, signaling the seriousness of the situation for South Korea’s leading online retailer.

      Coupang’s stock on the New York exchange has suffered significantly, falling about 32% year-to-date as of 10 June 2026, following a downgrade from Citi, which changed its rating from Buy to Neutral after the company reported a net loss of $266 million in the first quarter, partly due to the voucher program's financial impact.

      **Diplomatic Tensions**

      The Coupang case is also intertwined with broader US-South Korea relations. Fifty-four Republican members of Congress sent a letter to the South Korean ambassador accusing the nation of conducting a “whole-of-government assault” on the company. There is increasing speculation that the repercussions of this case may have contributed to the White House’s decision to elevate tariffs on South Korean goods from 15% to 25% in late January 2026. Seoul has firmly opposed this.

      Nearly 100 South Korean lawmakers signed a letter warning that outside pressure regarding the investigation would compromise the country’s judicial sovereignty. This situation has expanded into a larger issue of whether Washington can use trade policies to protect US-listed companies from foreign regulatory actions, reminiscent of escalating tensions regarding European tech regulation.

      **Global Trends in Penalties**

      Coupang's fine comes at a time when regulators globally are imposing substantial penalties. The EU has fined Meta a record €1.2 billion for transferring European user data to the United States, and total GDPR penalties have now exceeded €7 billion. In the US, the FTC's $5 billion fine against Facebook over the Cambridge Analytica affair remains the standard for major tech privacy penalties. Google is also facing significant EU fines under the Digital Markets Act before the summer break.

      For Coupang, the path forward is challenging. The company must contend with ongoing shareholder lawsuits, a leadership gap, and the task of regaining consumer trust in a market where it dominates e-commerce transactions. Its response to the PIPC ruling and any potential appeal of the fine will be closely monitored by regulators and tech companies both in Asia and beyond.