South Korea's data protection regulator has imposed a record fine of $400 million on Coupang, the country's largest e-commerce platform, for a massive data breach that exposed the personal information of 37.5 million users — more than half of South Korea's 50-million population. According to the BBC, the fine is the largest ever issued by Seoul's Personal Information Protection Commission (PIPC) for a data breach.
The Breach and Its Scale
The PIPC announced on Wednesday that it fined Coupang for "violating safety obligations and collecting personal data without legal grounds." The commission found that a lack of safeguards, including poor management of authentication signing keys and access controls, led to the exposure of data for approximately 37.5 million users. The leaked information included names, contact details, delivery addresses, and order histories — data that is especially sensitive for logistics and supply chain operations.
Initially, Coupang reported a breach of 4,500 customer accounts in November, but subsequent checks revealed that nearly 34 million customer accounts in South Korea were likely exposed, with the breach believed to have begun as early as June through a server based abroad, according to Coupang.
Regulatory Response and Company Reaction
The PIPC fine amounts to 624.68 billion won. In a statement to the BBC, Coupang said it "deeply regrets the concern caused" and will strengthen its security measures, but added that it plans to challenge the PIPC decision. The company expressed disappointment that its explanations and measures to prevent further harm were "not sufficiently reflected" in the commission's decision. "Upon receiving the official resolution from the PIPC, we expect that the facts will be clearly established through legal procedures," Coupang said.
Leadership Impact
Following the breach, Coupang's boss Park Dae-jun resigned from his role, apologizing for the incident. The platform's chief administrative officer, Harold Rogers, was appointed interim CEO. The leadership change underscores the gravity of the data security failure.
Broader Cybersecurity Context in South Korea
According to the BBC, South Korean firms faced a series of high-profile cybersecurity incidents last year, despite the country's reputation for tight data privacy standards. Notably, SK Telecom, the largest mobile operator, was fined nearly $100 million over a data breach involving more than 20 million subscribers. The table below compares the two major fines:
| Company | Fine (approximate USD) | Affected Users | Type of Data Exposed |
|---|---|---|---|
| Coupang | $400 million (624.68bn won) | 37.5 million | Names, contact details, delivery info, order histories |
| SK Telecom | ~$100 million | >20 million | Subscriber data (further details not specified) |
Coupang told the BBC at the time that it was alerted to a breach involving 4,500 customer accounts in November and immediately reported it to the authorities.
Implications for Enterprise Technology Leaders
For CTOs and digital transformation leaders in e-commerce and logistics, this case highlights the critical importance of robust access controls, key management, and continuous monitoring. Coupang's breach, which exposed delivery details, directly impacts supply chain data security. The $400 million penalty — the largest of its kind in South Korea — serves as a stark reminder that regulatory scrutiny is intensifying. As companies digitize trade and logistics, ensuring that customer and operational data is protected must be a top priority. Coupang's experience demonstrates that even market leaders can face severe consequences from inadequate security measures.
Sources:
