Coupang hit with a historic $409 million fine for a data breach in South Korea.

      TL;DR South Korea’s Personal Information Protection Commission has fined Coupang a historic 624.7 billion won ($409 million) due to a data breach affecting approximately 33.7 million customer accounts. This penalty, the largest ever in South Korean history, has intensified diplomatic tensions between Seoul and Washington.

      South Korea's privacy authority has imposed a groundbreaking fine of 624.7 billion won ($409 million) on e-commerce giant Coupang, marking the highest penalty for a data breach in the country to date. This decision, made today by the Personal Information Protection Commission (PIPC), far exceeds the previous record of 134.8 billion won set when telecom company SK Telecom was penalized last year.

      The fine originates from a breach that allegedly exposed the personal information of over 33.7 million customer accounts, which is about two-thirds of the population of South Korea. Compromised information included names, email addresses, phone numbers, shipping addresses, and order histories, while payment details reportedly remained safe.

      Regarding the incident, Al Jazeera reported that a former employee of Coupang, who was a Chinese national, stole a cryptographic signing key, enabling unauthorized access to customer data from foreign servers. This breach is said to have gone unnoticed for nearly five months, spanning from June to November 2025.

      Coupang first identified suspicious activities on November 18, 2025, but it took them 48 hours to inform regulators, thus missing the required 24-hour notification period. This delay significantly influenced the severity of the penalties, according to PIPC's findings.

      The fine comprises two separate penalties. The PIPC assigned 423.6 billion won for the breach, noting the inadequate management of authentication keys and insufficient access controls that permitted a former employee to access customer data even after leaving the company. An additional penalty of 201.1 billion won was applied for the unauthorized collection of online activity records from roughly 11.17 million users who accessed services beyond Coupang's platform. Moreover, Coupang Fulfillment Services incurred a separate fine of 248 million won for additional privacy violations.

      The financial implications go far beyond the imposed fine. In December 2025, Coupang revealed a compensation plan amounting to around 1.69 trillion won ($1.17 billion) in vouchers for affected customers. CEO Park Dae-jun resigned the same month, and the US parent company appointed Harold Rogers as interim chief, highlighting the seriousness of the situation for South Korea’s leading online retailer.

      Consequently, the company’s stock on the New York exchange has significantly decreased. As of June 10, 2026, Coupang’s shares have fallen by about 32% year-to-date, following a downgrade from Citi from Buy to Neutral in May after the company reported a $266 million net loss in the first quarter, partly attributed to the impact of the voucher program.

      The Coupang situation has also intertwined with wider tensions between the US and South Korea. Fifty-four Republican members of Congress sent a letter to South Korea's ambassador accusing the country of conducting a "whole-of-government assault" on the company. Speculation has grown that the fallout contributed to the White House’s decision to raise tariffs on South Korean goods from 15% to 25% in late January 2026, prompting a firm response from Seoul.

      Almost 100 South Korean lawmakers have signed a letter warning that external pressure on the investigation would violate the nation's judicial sovereignty. The issue has expanded into a broader challenge of whether Washington can use trade policy to protect US-listed companies from foreign regulatory actions, mirroring increasing tensions over European tech regulations in recent months.

      Coupang’s fine comes during a period when regulators globally are imposing larger penalties. The EU recently fined Meta a record €1.2 billion for transferring European user data to the United States, with total GDPR penalties now exceeding €7 billion. In the US, the FTC’s $5 billion fine against Facebook linked to the Cambridge Analytica scandal remains the standard for privacy penalties in the tech sector. Additionally, Google is facing a significant penalty in the EU under the Digital Markets Act.

      For Coupang, the journey ahead is challenging. The company must navigate ongoing shareholder lawsuits, a leadership gap, and the task of restoring consumer trust in a market where it manages the majority of e-commerce transactions. Its reaction to the PIPC ruling and any potential appeal will be closely monitored by regulators and tech firms across Asia and beyond.