Coupang Fined $410 Million for Major Data Breach Affecting 37.5 Million Users
Severity: High (Score: 70.5)
Sources: Freepressjournal.In, Themorning.Lk, Businesstimes.Sg, Bleepingcomputer, Kedglobal
Published: · Updated:
Keywords: data, south, coupang, record, million, korea, billion
Severity indicators: data leak
Summary
South Korea's Personal Information Protection Commission imposed a record fine of 624.7 billion won (approximately $410 million) on Coupang for a significant data breach that exposed personal information of over 37 million users. The breach, which occurred due to inadequate security measures, allowed unauthorized access to sensitive data including names, delivery details, and order histories. Coupang's failure to manage authentication keys and access controls was highlighted as a key factor in the breach. The company plans to challenge the ruling in court, asserting that its efforts to mitigate harm were not adequately considered. The incident has strained diplomatic relations between South Korea and the US, as Coupang is a US-based company with a significant presence in South Korea. The breach first came to light in November 2025, prompting regulatory scrutiny and multiple investigations. Coupang's stock has dropped significantly since the incident, reflecting investor concerns about its future growth and reputation. Key Points: • Coupang fined a record $410 million for a data breach affecting 37.5 million users. • The breach was caused by inadequate security measures and poor management of access controls. • Coupang plans to contest the ruling, claiming its mitigation efforts were overlooked.
Detailed Analysis
**Impact** Approximately 37.5 million users in South Korea were affected by the breach, including 33.2 million registered members and 4.3 million non-members, representing over two-thirds of the country's population. Exposed data included names, phone numbers, delivery details, and order histories. The breach impacted Coupang’s business operations, leading to a 35% share price decline and slowed revenue growth due to customer compensation efforts. Additionally, Coupang Fulfillment Services was fined for unauthorized collection of personal data and maintaining an employment restriction list, indicating operational and reputational damage across the group. **Technical Details** The breach resulted from inadequate basic safeguards, including poor management of authentication signing keys and lax access controls. The intrusion was not attributed to sophisticated hacking but rather to internal negligence and insufficient security management. The breach began as early as June 2025 via a server located abroad and remained undetected for months. No specific malware, CVEs, or detailed TTPs were disclosed in the available reports. **Recommended Response** Organizations should prioritize strengthening access controls and key management systems to prevent unauthorized data access. Monitoring for unusual internal access patterns and enforcing timely breach notification protocols are critical. Legal and compliance teams should prepare for regulatory scrutiny and ensure data protection policies are up to date. No specific IOCs or patches were provided; defenders should monitor for indicators of insider threats and unauthorized data exfiltration.
Source articles (6)
- South Korea hits e-commerce giant Coupang with record US$409 million fine for data breach — Scmp · 2026-06-11
‘Inadequate basic safeguards’ resulted in the personal data of around 37.5 million users being exposed, the privacy commission found Allegations of a massive data leak first surfaced in November, beco… - South Korea levies record $409 million in fines on Coupang over personal data leak — Kedglobal · 2026-06-11
Coupang's trademark same-day 'rocket delivery' service A regulatory dispute over whether Bom Kim, founder of Coupang Inc., should be formally designated as the e-commerce group’s controlling individua… - South Korea fines Coupang record 624.7 billion won for data leak — Businesstimes.Sg · 2026-06-11
[SEOUL] A South Korean regulator fined the country’s largest e-commerce platform, owned by US-listed Coupang, a record 624.7 billion won (S$527 million) for a wide-ranging cyber-intrusion that escalat… - Coupang Fined Record $410 Million In South Korea Over Data Breach & Privacy Violations ... — Freepressjournal.In · 2026-06-11
Seoul: South Korea's data protection regulator on Thursday fined e-commerce company Coupang a record 624.7 billion won ($410 million) over privacy violations, including a massive data breach that affe… - Korea fines e-commerce giant $400m over data breach affecting millions — Themorning.Lk · 2026-06-11
South Korea has hit online retail giant Coupang with a record fine of more than $400m (£299m) over a massive data breach that exposed the data of more than 30 million customers last year. The fine is… - Coupang hit with record $409 million data breach fine in Korea — Bleepingcomputer · 2026-06-11
The Personal Information Protection Commission (PIPC), South Korea's data protection regulator, has fined e-commerce giant Coupang a record 624.6 billion won (roughly $409 million) following a massi…
Timeline
- 2025-11-01 — Data breach first reported: Coupang alerted authorities about a breach involving 4,500 customer accounts, later found to affect 34 million accounts.
- 2026-06-11 — Coupang fined by South Korea: The Personal Information Protection Commission imposed a record fine of 624.7 billion won for privacy violations and data breach.
- 2026-06-11 — Coupang announces plans to challenge fine: Coupang stated it would contest the commission's decision, asserting that its preventive measures were not fully acknowledged.
Related entities
- Data Breach (Attack Type)
- Coupang (Company)
- Coupang Fulfillment Service (Company)
- Coupang Fulfillment Services (Company)
- South Korea (Country)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- CWE-287 - Improper Authentication (Cwe)
- CWE-862 - Missing Authorization (Cwe)
- Retail (Industry)