South Korea has fined Coupang, the nation’s largest e-commerce platform, a record 624.7 billion won (approximately $409 million) for a massive customer data breach and the illegal collection of personal information. The penalty, levied Thursday by the Personal Information Protection Commission (PIPC), marks the largest data-privacy fine in the country’s history. Coupang, which is incorporated in the United States but derives the vast majority of its revenue from South Korea, announced it would contest the ruling in court.
The enforcement action has escalated into an unusual diplomatic friction between Washington and Seoul. Coupang, along with several Republican members of Congress, has accused the South Korean government of weaponizing regulatory proceedings against an American company. South Korean officials have pushed back, characterizing their actions as standard due process and labeling the U.S. political intervention as interference in domestic affairs. They further allege that Coupang’s intense lobbying in Washington has complicated negotiations over a bilateral trade deal, the collapse of which could trigger punitive U.S. tariffs.
According to the commission’s findings, the breach—discovered last year—exposed personal data belonging to 33 million customer accounts and an additional 4 million non-members, including relatives of Coupang users. Regulators also determined the company unlawfully collected and stored the online activity of 11 million users across third-party websites and applications.
“This accident occurred because of Coupang’s lack of safety measures and systems, not sophisticated hacking,” PIPC Chairwoman Song Kyung-hee stated Thursday.
Founded in 2010 by Korean-American entrepreneur Bom Kim in his native country, Coupang’s “Rocket Delivery” service has become ubiquitous in South Korean urban life. However, relations with the government deteriorated sharply after revelations last November that a former employee based in China had accessed vast troves of customer data. Tensions deepened when Kim declined to attend a parliamentary hearing on the matter.
The new fine dwarfs the previous record of $88 million, imposed last year on mobile carrier SK Telecom for a separate data breach.
Coupang reiterated its apology on Thursday and pledged to bolster its data protection practices. The company expressed regret, however, that the preemptive measures it took to prevent secondary harm and its existing privacy protocols were not adequately factored into the commission’s decision. “After receiving the commission’s official ruling, we expect the facts to be clearly established through legal procedures,” Coupang said in a statement.
