Coupang Faces Record Fine Over Data Breach

What's happened

Coupang has been hit with the largest data-privacy penalty in South Korea, with the Personal Information Protection Commission fining the U.S.-listed company after a breach exposed millions of customers’ data. Coupang says it will challenge the ruling as regulators link the case to broader U.S.-South Korea tensions.

What's behind the headline?

The story in context

• The penalty marks a turning point in Korea’s approach to data privacy involving international firms.
• Regulators describe the breach as a failure of basic protections, not an advanced cyber attack.

What this reveals about accountability

• A high-profile U.S.-listed company is facing unprecedented regulatory action in Korea, potentially influencing how global tech firms handle data in the region.
• The political overtones, including discussions in Washington about regulatory actions, may shape broader policy debates on cross-border data governance.

What readers should watch

• How Coupang’s court challenge unfolds and whether the regulator’s findings are upheld.
• Any changes Coupang implements to its data protections and how quickly they are adopted across its services.
• Possible shifts in U.S.-Korea regulatory dialogue tied to this case.

How we got here

The breach, discovered in 2025, affected tens of millions of Coupang customers and involved a former employee gaining access to data. Regulators found the breach stemmed from weak safety measures rather than a sophisticated hack. The aftermath has strained Coupang’s relations with Seoul and drawn scrutiny from U.S. lawmakers.

Our analysis

New York Times (Choe Sang-Hun) provides detailed reporting on the fine, court pushback, and cross-border tensions. Al Jazeera and TechCrunch add regional context and the scale of the breach, citing the regulator’s statements and the company’s response.

Go deeper

• What consequences could this have for other U.S.-listed companies operating in Korea?
• Will Coupang’s data protections evolve in response to this ruling?
• How might this affect U.S.-Korea regulatory cooperation on tech and data?

More on these topics

• South Korea - Country in East Asia

  South Korea, officially the Republic of Korea, is a country in East Asia, constituting the southern part of the Korean Peninsula and sharing a land border with North Korea.

• Seoul - Capital of South Korea

  Seoul, officially the Seoul Special City, is the capital and largest metropolis of South Korea. Seoul has a population of 9.7 million people, and forms the heart of the Seoul Capital Area with the surrounding Incheon metropolis and Gyeonggi province.

• Personal Information Protection Commission - Government agency

  The Personal Information Protection Commission is a Japanese government commission charged with the protection of personal information. It was established on January 1, 2016 to replaces the Specific Personal Information Protection Commission.

• Coupang - Company

  Coupang is a South Korean e-commerce company founded in 2010.

• SK Telecom - Telecommunications company

  SK Telecom Co., Ltd. is a South Korean wireless telecommunications operator; it is part of the SK Group, one of the country's largest chaebols.

• United States - Country in North America

  The United States of America, commonly known as the United States or America, is a country mostly located in central North America, between Canada and Mexico.