The 2025 data breach of Coupang, the South Korean ecommerce giant often referred to as the country’s equivalent of Amazon, is going to cost the company a total of about 624 billion won (the equivalent of about $411 million) in fines.
The total is a record amount for the Personal Information Protection Commission (PIPC), far surpassing the prior record of 134.8 billion won (about $89 million) in fines issued to SK Telecom earlier this year. South Korea’s national data protection law, the Personal Information Protection Act (PIPA), allows for fines of up to 3% of an organization’s annual revenue making it one of the more stringent in the world. However, in these cases the record amount was for just a little over 1% of Coupang’s annual revenue and the prior record was for just under 1% of SK Telecom’s annual revenue.
Coupang data breach exposed 34 million accounts, prompted CEO change
The Coupang data breach was first discovered and reported on in November 2025, but follow-up investigation found it began in late June of that year and thus ran for about five months. An initial report of only about 4,500 customer accounts being accessed by the hackers was soon updated to 34 million, or nearly the entire ecommerce site’s current and prior customer base and well over half the national population count.
The data breach is believed to have been an inside job, tied to a former engineer who is a Chinese national that had previously left the company and returned home. The hacker stole a private encryption key and used it to create authentication tokens allowing access to user accounts. Impacted users, which appear to be pretty much the entirety of the company’s customers, had basic contact information from their accounts exposed: full names, email address and phone number associated with the account, shipping addresses and some details about order history. Login credentials and payment information were not exposed.
The fine for the data breach was separated into two portions, but each individually is larger than the prior SK Telecom penalty. 423.6 billion won was assessed for failures related to the data breach, with an additional 210 billion won added for non-consensual collection of personal information. The latter fine was for a more limited subset of about 11.7 million customer activity records that were stored on third-party apps and websites.
Former Coupang head Park Dae-jun apologized publicly and resigned from his role after the full scope of the breach was revealed in December, with administrative officer Harold Rogers appointed in his place as interim CEO.
Investigation finds ecommerce giant was negligent in its security
The PIPC investigation determined that the ecommerce site was missing important security safeguards, such as access controls and tools for management of signing keys. Additionally, it missed the required data breach reporting window of 72 hours from discovery of the incident.
The maximum fine in this case was limited to 3% of annual revenue due to the data breach taking place in 2025. New terms set to go into effect in September will raise that limit to 10%. The company has already taken a significant revenue hit even before having to pony up for these fines, however. It has issued a voucher set worth a total of 50,000 won (about $35) to customers as a means of apology, redeemable at the ecommerce giant’s assorted services for product purchases, food delivery and travel. This program is estimated to have cost the company 1.69 trillion won, or about $1 billion; the large amount is due to it being extended to all impacted former customers as well as those with current active accounts. However, consumers have criticized what they describe as significant usage restrictions on the vouchers and it remains unclear how much of that value will actually be redeemed.
The ecommerce giant has also said that it plans to challenge the fine amount. The company does not necessarily have good standing from which to make this challenge, however, suffering not just from the investigation reflecting poorly on it but also having experienced other data breaches fairly recently. In late 2023 its seller management system was breached and exposed information from about 22,000 accounts, and in 2020 and 2021 it also experienced smaller-scale breaches that involved the information of both customers and delivery drivers.
The incident also sparked some international controversy, though that now seems to be largely resolved with the issuance of the fine. Though its ecommerce market is almost entirely in Asia, Coupang is listed in the United States and maintains a regional office there. Some members of the US Congress attempted to apply pressure on South Korea to minimize any regulatory action due to this, as the company would have faced little in consequences under US federal law.
