South Korea’s Personal Information Protection Commission on Thursday fined Coupang Corp. a record 624.7 billion won ($410 million) over privacy violations that included a massive data breach and the unauthorized collection of records of online user activity, the regulator said.
The commission decided to impose 423.6 billion won of the fine for the data breach and an additional 201.1 billion won for collecting records of online activities of 11.17 million users without their permission, according to commission chief Song Kyung-hee. The regulator said it also filed a complaint against Coupang for obstructing the investigation.
“This incident happened not by sophisticated hacking, but due to Coupang’s inadequate safety management system,” Song said in a briefing.
Coupang belatedly reported the data breach in November 2025, more than six months before the penalty was announced. The breach affected approximately 37.5 million users — 33.2 million Coupang members and 4.3 million others, Song said. The figure exceeded an earlier estimate of 33.67 million accounts determined by a joint private-public probe.
The compromised data included names, phone numbers and delivery details.
The penalty for the data breach is over three times higher than the regulator’s previous record fine of 134.8 billion won imposed in August 2025 against mobile carrier SK Telecom for a data leak that affected 23 million users, according to the commission.
Coupang failed to detect multiple irregularities related to the breach and did not properly manage its authentication system, the watchdog said.
Under South Korea’s personal information protection law, companies that suffer personal information leaks can be fined up to 3 percent of their annual sales. Coupang logged about 36 trillion won in annual sales on average in the past three years, according to industry data.
The regulator also found that Coupang collected records of online activities of users who accessed other services without their permission, including websites and applications visited. It additionally determined that the company did not properly manage advertisement partners that posted “hi-jacking” advertisements.
Separately, the watchdog fined Coupang’s logistics arm, Coupang Fulfillment Services, 248 million won for various privacy violations, such as collecting a list of journalists and keeping them on an employment restriction list.
Coupang expressed regret over the record fine and said it plans to “clarify the facts through legal procedures.”
The massive data leak has emerged as a source of friction between Seoul and Washington after some U.S. officials and lawmakers raised concerns about whether the Korean unit of U.S.-listed Coupang Inc. was being treated unfairly in the investigation. Song said the watchdog’s penalty was based on the investigation results and that it did not consider “other influences.”