Back

Coupang Fined Record $400 Million for Major Data Breach Affecting Millions

Severity: High (Score: 72.0)

Sources: Scmp, Themorning.Lk, www.bbc.com, Businesstimes.Sg, Moneycontrol

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: data, south, coupang, record, million, korea, billion

Severity indicators: data leak

Summary

South Korea's Personal Information Protection Commission (PIPC) has fined Coupang, the country's largest e-commerce platform, a record 624.7 billion won (approximately $400 million) due to a significant data breach that compromised the personal information of around 37.5 million users. The breach, initially detected in late 2025, involved unauthorized access to sensitive data, including names, addresses, and order histories, primarily due to inadequate cybersecurity measures. Coupang's internal security protocols were found lacking, particularly in managing authentication keys and access controls. The company has expressed its intention to challenge the ruling in court, claiming that its efforts to mitigate the breach were overlooked. This incident has raised concerns about cybersecurity practices in South Korea and has led to diplomatic tensions with the US, as Coupang is a US-based company. The breach has also resulted in significant financial losses for Coupang, with its stock price plummeting by 35% since the beginning of the year. Key Points: • Coupang fined 624.7 billion won ($400 million) for a data breach affecting 37.5 million users. • The breach exposed sensitive personal data due to inadequate cybersecurity measures. • Coupang plans to challenge the ruling, claiming its security efforts were not acknowledged.

Detailed Analysis

**Impact** Approximately 37.5 million South Korean users were affected by the breach, representing over two-thirds of the country's population. Exposed data included full legal names, phone numbers, email addresses, delivery addresses, and detailed purchase histories. The breach impacted Coupang’s core e-commerce operations, resulting in a record $400+ million fine by the South Korean Personal Information Protection Commission (PIPC), significant revenue slowdown, executive resignations, and ongoing legal disputes. The logistics subsidiary, Coupang Fulfillment Services, was also fined for unauthorized data collection and misuse. **Technical Details** The breach originated from inadequate internal security controls, specifically poor management of authentication signing keys and lax access controls. A former employee, a 43-year-old Chinese national in the IT department, improperly accessed sensitive data over several months starting around June 2025. The attacker retained data on approximately 3,000 accounts and attempted to destroy evidence by discarding a MacBook Air, which was later recovered. No specific malware, CVEs, or external infrastructure details were reported. **Recommended Response** Organizations should enforce strict access control policies and secure management of authentication keys to prevent insider threats. Implement continuous monitoring for unauthorized data access and promptly investigate anomalies. Ensure timely breach notification procedures are in place, adhering to regulatory requirements. Monitor for insider threat indicators and review data handling and destruction protocols to mitigate risks of data exfiltration and evidence tampering.

Source articles (11)

  • South Korea hits e-commerce giant Coupang with record US$409 million fine for data breach — Scmp · 2026-06-11
    ‘Inadequate basic safeguards’ resulted in the personal data of around 37.5 million users being exposed, the privacy commission found Allegations of a massive data leak first surfaced in November, beco…
  • South Korea levies record $409 million in fines on Coupang over personal data leak — Kedglobal · 2026-06-11
    Coupang's trademark same-day 'rocket delivery' service A regulatory dispute over whether Bom Kim, founder of Coupang Inc., should be formally designated as the e-commerce group’s controlling individua…
  • South Korea fines Coupang record 624.7 billion won for data leak — Businesstimes.Sg · 2026-06-11
    [SEOUL] A South Korean regulator fined the country’s largest e-commerce platform, owned by US-listed Coupang, a record 624.7 billion won (S$527 million) for a wide-ranging cyber-intrusion that escalat…
  • South Korea fines Coupang $409 million in country's largest data breach penalty — Moneycontrol · 2026-06-11
    We at moneycontrol use cookies and other tracking technologies to assist you with and determine your location. We also capture cookies to obtain your feedback, analyse your use of our products and ser…
  • Coupang Fined Record $410 Million In South Korea Over Data Breach & Privacy Violations ... — Freepressjournal.In · 2026-06-11
    Seoul: South Korea's data protection regulator on Thursday fined e-commerce company Coupang a record 624.7 billion won ($410 million) over privacy violations, including a massive data breach that affe…
  • South Korea Fines Coupang a Record $400 Million Over Data Breach — Streamlinefeed.Co.Ke · 2026-06-11
    South Korea hits retail giant Coupang with a record $400 million fine following a devastating data breach. The stakes for digital privacy are unprecedented. The global technology sector is reeling fro…
  • South Korea hits e-commerce giant with record $400m fine over data leak, nearly 37.5m ... — Wionews · 2026-06-11
    South Korea has imposed a record fine of over $400 million on e-commerce giant Coupang after a massive data breach exposed the personal information of around 37.5 million users. Regulators cited weak…
  • Korea fines e-commerce giant $400m over data breach affecting millions — Themorning.Lk · 2026-06-11
    South Korea has hit online retail giant Coupang with a record fine of more than $400m (£299m) over a massive data breach that exposed the data of more than 30 million customers last year. The fine is…
  • Coupang hit with record $409 million data breach fine in Korea — Bleepingcomputer · 2026-06-11
    ​​The Personal Information Protection Commission (PIPC), South Korea's data protection regulator, has fined e-commerce giant Coupang a record 624.6 billion won (roughly $409 million) following a massi…
  • South Korea hits Coupang with $400M+ fine for data breach that affected millions — Techcrunch · 2026-06-11
    South Korean authorities have imposed a record-breaking fine of $624 billion won (over $400 million) on retail giant Coupang after a data breach last year compromised the personal data of more than 34…
  • Cvgj4rgz2n2o — www.bbc.com · 2026-06-11
    South Korea has hit online retail giant Coupang with a record fine of more than $400m (£299m) over a massive data breach that exposed the data of more than 30 million customers last year. The fine is…

Timeline

  • 2025-11-01 — Data breach discovered: Coupang reported a data breach affecting 33.7 million accounts, with investigations revealing further exposure of user data.
  • 2026-06-11 — Coupang fined by PIPC: The PIPC imposed a record fine of 624.7 billion won on Coupang for failing to protect user data and unauthorized data collection.
  • 2026-06-11 — Coupang announces legal challenge: Coupang stated its intention to contest the PIPC's ruling, arguing that its security measures were not adequately considered.

Related entities

  • Data Breach (Attack Type)
  • Coupang (Company)
  • Coupang Fulfillment Service (Company)
  • Coupang Fulfillment Services (Company)
  • Kenya (Country)
  • Nigeria (Country)
  • South Korea (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Retail (Industry)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed