South Korea’s data protection authority has imposed a record fine on e-commerce company Coupang following a massive data breach that exposed the personal information of tens of millions of users. The penalty, amounting to 624.68 billion won (approximately $400 million or ₹3,320 crore), is the largest ever issued by the country’s Personal Information Protection Commission (PIPC) in a data breach case.
Systemic Security Lapses and Authentication Vulnerabilities
According to the regulator, the incident represents one of the most significant cybersecurity failures in South Korea’s digital economy, affecting around 37.5 million users—nearly half of the country’s population. The exposed data reportedly included names, contact details, delivery addresses, and order histories of customers using the platform.
Investigations revealed that the breach began as early as June last year and is believed to have originated through a foreign server. Initial disclosures by the company suggested that only about 4,500 accounts were affected. However, subsequent internal audits significantly expanded the scale of the breach, confirming that millions of accounts were compromised.
Coupang, often described as South Korea’s equivalent of Amazon due to its dominant position in the country’s online retail market, acknowledged the regulator’s decision and said it plans to review and challenge the ruling through legal channels. The company also admitted that its existing security measures were not sufficiently robust and pledged to strengthen its cybersecurity infrastructure.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Accountability Actions and Corporate Governance Shifting
The PIPC said its investigation uncovered multiple critical security weaknesses, including poor management of authentication keys, inadequate access controls, and failures in enforcing basic data protection protocols. These lapses, according to the commission, enabled attackers to gain unauthorized access to sensitive user information on a large scale.
The breach has also led to leadership changes within the company. Former CEO Park Dae-jun stepped down following the incident, taking responsibility for the failure, while an interim chief executive was appointed to stabilize operations and restore trust among users and regulators.
Digital Marketplace Vulnerabilities and Cloud Encryption Hardening
Cybersecurity experts say the case highlights growing risks in the global e-commerce ecosystem, where vast amounts of personal and financial data are stored on centralized digital platforms. With the rapid expansion of online shopping and digital payments, the potential impact of such breaches has increased significantly.
South Korea has witnessed a series of major cybersecurity incidents in recent years despite its strong digital infrastructure. In a previous case, telecom giant SK Telecom was fined nearly $100 million after a data breach exposed information belonging to more than 20 million subscribers, underscoring persistent vulnerabilities across major technology platforms.
Revenue-Based Regulatory Penalties and Global Compliance Compliance
Regulators stated that Coupang failed to comply with mandatory data protection standards, which directly contributed to the severity of the breach. The commission further noted that post-incident corrective measures presented by the company were insufficient to fully address the systemic security failures.
Experts argue that financial penalties alone are not enough to prevent such incidents. They emphasize the need for comprehensive cybersecurity restructuring, particularly for platforms handling sensitive personal data at scale. Measures such as advanced encryption, multi-layer security systems, strict authentication protocols, and real-time monitoring are increasingly seen as essential requirements.
The regulator has indicated that it may consider even stricter enforcement of data protection laws in the future. The ruling is also being closely watched by global tech companies, as it reinforces the growing expectation that failure to safeguard user data can result in not only massive financial penalties but also severe reputational damage.
