South Korea Fines Coupang $409M Over Massive Data Breach
Data Breach TodayArchived Jun 16, 2026✓ Full text saved
Investigators Found Months of Unchecked Database Scraping Activity South Korea's privacy regulator fined Coupang a record 624.7 billion won after concluding that weak authentication controls, insider access abuse, evidence destruction and unauthorized data collection contributed to the exposure of personal information belonging to 33.7 million people.
Full text archived locally
✦ AI Summary· Claude Sonnet
Incident & Breach Response , Regulation , Security Operations
South Korea Fines Coupang $409M Over Massive Data Breach
Investigators Found Months of Unchecked Database Scraping Activity
Tiffany Wang • June 16, 2026
Credit Eligible
Get Permission
image: Ki Young/Shutterstock
South Korean regulators imposed a hefty fine of 624.7 billion won on domestic e-commerce giant Coupang. The fine, which adds up to $409 million, comes after a series of privacy and security violations stemming from the company's massive data breach.
See Also: Cyber Insurance Assessment Readiness Checklist
The Personal Information Protection Commission determined that Coupang's incident, which exposed 33.7 million people's personal information, was self-inflicted as the company failed to meet the basic safeguards for authentication key management and access controls (see: Coupang and the Horrible, No Good, Very Bad Data Breach).
Coupang also failed to promptly report the breach and intentionally destroyed six months of access logs after authorities ordered the company to preserve them.
The penalty against Korea's largest online retailer is the most substantial fine ever issued by the commission for a data breach, surpassing the previous record of 134.8 billion won - $88.8 million - levied against the country's major mobile carrier SK Telecom.
Regulators said Coupang's internal database was scraped hundreds of millions of times over a 10-month period in 2025 by a former Chinese employee who had worked as a software developer on the company's authentication systems until right before the attack. He kept an internal signing key when he left.
The unnamed perpetrator cycled through records of member IDs, names, phone numbers, email and physical addresses, apartment entry codes and order history to assemble complete customer profiles. He then sent extortion emails to customers and Coupang.
Traffic to the targeted pages spiked many times above normal levels, and many of the access attempts originated from fake member IDs. Despite the abnormality, Coupang never detected or acknowledged any of the activities until a customer raised concern about the ransom emails.
Regulators found that the breach affected Coupang account holders as well as 4.3 million non-members whose names, phone numbers and addresses had been provided as delivery recipients by customers.
Despite authorities ordering Coupang to preserve evidence a day after it filed its initial breach report, the company manually deleted approximately six months of access logs six days later and did not pause its automatic log deletion. Roughly 13% of the logs from the attack period were erased, meaning there could be additional victims who could never be identified.
Regulators also found the company's marketing program collected 11 million users' browsing data from third-party websites and applications without authorization, including URLs visited, app names, timestamps, IP addresses and device identifiers. Some users were redirected to Coupang through so-called "hijack ads," where transparent overlays triggered redirects without users intentionally clicking on an advertisement.
Coupang argued the marketing data did not constitute personal information and deleted the records in April after being questioned by regulators.
The company's logistics subsidiary was also accused of illegally disclosing employees' weight data in industrial accident litigation and maintaining an employment-restriction list containing the personal information of 71 journalists accused of "spreading false information."
"We apologize to our customers and the public for causing concern," Coupang said after receiving PIPC's written accusations, but it said it has many disagreements with the ruling and plans to challenge the penalty through legal proceedings.