Coupang Hit with Record Fine: "37.5 Million Data Leaked Due to Fundamental Management Failures"

Coupang and its affiliate Coupang Fulfillment Services (CFS), which were involved in a massive personal information leak in November of last year, have been hit with a record-breaking fine totaling 624.9 billion won.

The Personal Information Protection Commission (PIPC) announced that it held a plenary meeting the previous day and, after more than 12 hours of deliberation on the proposed penalty for Coupang, resolved to impose a fine of 624.681 billion won for violations related to safety management obligations and collecting personal information without a legal basis for consent. An administrative fine of 16.8 million won was also set. CFS was separately fined 248 million won for violations related to the handling of personal information.

This amount is about half the maximum fine that can be imposed under the current Personal Information Protection Act for a personal data breach (up to 3% of total sales), which would be 1.3637 trillion won. Compared to the previous largest penalty, which was imposed on SK Telecom (134.8 billion won), this is more than four times greater.

Yonhap News Agency

View original image

The PIPC found that this incident was not the result of sophisticated hacking but rather due to Coupang’s lack of basic safety management systems and negligence in oversight. The commission concluded that approximately 37.5 million individuals were affected by the leak. Specifically, the personal information of about 33.22 million members was leaked based on account records, and at least 4.33 million non-member data subjects (included in the delivery address management page) had their personal information compromised, based on mobile phone numbers.

According to the PIPC, Coupang neglected to manage access rights by operating a key management system that allowed plaintext viewing of authentication signing keys, even in cases where such access was not required for work. Furthermore, although the hacker who had access to the keys left the company in December 2024, Coupang failed to immediately update or delete the signing keys. In addition, despite detecting excessive abnormal traffic and multiple unauthorized access attempts, Coupang did not recognize these anomalies until after receiving customer complaints triggered by a threatening email from the hacker.

Additional violations included failure to fulfill notification and destruction obligations, failure to guarantee the independence of the Chief Privacy Officer (CPO), and obstruction of the investigation. During its own investigation into the hacker and the subsequent disclosure of results on its website, Coupang excluded the CPO from the process. The PIPC stated, “We have issued corrective orders to strengthen safety measures to prevent similar incidents, to notify non-member data subjects of the leak, and to ensure the CPO’s substantive role.” The commission added, “We have also recommended improvements to the personal information handling system for withdrawn members and will monitor the implementation and results within three months.”

Additionally, it was found that since 2018, Coupang has infringed on data subject rights by using “Coupang Partners.” From December 23, 2024 to February 4, 2026, Coupang collected online activity records of approximately 11.17 million members who accessed third-party websites and applications (apps) without consent and stored these records in its database while users were still individually identifiable. This included visit records (URLs and app names) of users who accessed third-party sites and apps displaying Coupang advertisements, as well as the date and time of access and the access IP address.

Coupang explained that, since August 2022, it has recognized and addressed so-called “kidnapping ads” through tips, and has operated a reporting system and detection mechanism. The company claimed that, upon detection, sanctions are imposed according to its terms of service or policies. However, the PIPC pointed out that Coupang failed to apply sanctions such as account termination to certain advertising partners, and in some cases, even offered higher commission rates instead of proper penalties, thus violating the law.

The PIPC stated, “We confirmed that Coupang failed to properly manage and supervise advertising partners who posted fraudulent ads (kidnapping ads), which led to the collection of Coupang service usage records against users’ wishes.” The commission continued, “We have issued corrective orders to enhance transparency in personal information processing, guarantee data subjects’ real choices regarding personalized ads, and strengthen oversight to prevent fraudulent ads.”

Song Kyunghui, Chairperson of the Personal Information Protection Commission, is striking the gavel at the 11th plenary meeting of 2026 held on the morning of the 10th at the Government Seoul Office Building. Photo by Personal Information Protection Commission

View original image

In the case of CFS, it was found that from September 2023 to February 2024, the company collected a list of 71 police press corps members who had no work history at its logistics centers and registered them on an employment restriction list. During this process, CFS neither obtained consent from the data subjects nor notified them of the registration, violating standards for the collection and use of personal information. In addition, the company submitted employees’ body weight information—originally collected and managed for health purposes—in industrial accident litigation, thereby violating standards for the handling of sensitive information. The PIPC imposed separate fines of 220 million won and 28 million won for each of these violations.

The PIPC reiterated through this investigation and disposition that all companies handling Korean consumers’ valuable personal information, whether domestic or foreign, must be held to the same standards and strict legal responsibility. Chairperson Song Kyunghui of the PIPC stated, “We hope that this disposition will prompt increased investment in security and stronger internal controls across all online platforms closely connected to people’s daily lives,” adding, “The PIPC will also redouble its efforts to create an environment where people’s personal information is safely used within these platforms.”

Hot Picks Today

[Exclusive] Both SK hynix and Samsung Halted... Crisis Hits Semiconductor Factories

• The Sooner You Start, the Better... "Millennials & Gen Z Should Gradually Move Stock Profits 'Here'" [Retirement Pension Investment Strategy] ⑧
• "I Tried It Because It Was Trending and Lost Weight Fast"...The Soybean Milk Craze Shaking Up the Diet Market
• "This Is Truly Rare"... 4,400 Employees to Become Millionaires Overnight
• "I Am an Addict"… President's Troubled Son Rises as an SNS Star

Meanwhile, regarding the discrepancy in the number of leaked personal information cases reported by the Ministry of Science and ICT’s joint public-private investigation team in February (33,673,817 cases) and the PIPC’s findings, the PIPC explained, “The investigation team calculated the figure based on the number of times the ‘member information modification page’ was accessed using access logs, whereas the PIPC excluded cases where attackers accessed information multiple times or where personal information was no longer in the database due to member withdrawal, and instead only minimally added non-member data subjects.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.