"Personal information of approximately 37.55 million people leaked due to insufficient basic safety management system, including negligence in authentication signature key management and access control," the Personal Information Protection Commission said.
PIPC ruling: record fines, orders, and cited violations
South Korea's Personal Information Protection Commission (PIPC) has issued a landmark enforcement action against e-commerce company Coupang, levying a main fine of 624.6 billion won (roughly $409 million) for failures tied to a massive customer-data breach. The PIPC said those penalties included a fine of 624.681 billion won and an additional fine of 16.8 million won, plus corrective orders, public announcements, and publication orders. Separately, the company's subsidiary, Coupang Fulfillment Service, was fined 248 million won for unlawfully collecting, using, and handling customers' personal and sensitive data.
Scale and mechanics of the leak: what investigators found
The PIPC's findings identify systemic security weaknesses. Investigators concluded that poor authentication key management and inadequate access controls were central to the incident, and that those failures allowed personal information for roughly 37.55 million people to be exposed. The regulator additionally cited violations of legal requirements on data destruction and leak notification, interference with the independence of Coupang's designated data protection officer, and obstruction of the investigation.
Timeline and the assets recovered from the primary suspect
The breach itself occurred in late June but was not discovered until mid-November, when Coupang warned that approximately 33.7 million accounts had been compromised. South Korean authorities say the principal suspect is a 43-year-old Chinese national who worked in Coupang's IT department from 2022 to 2024. According to the company and authorities, that individual later returned multiple hard drives containing sensitive data and attempted to destroy a MacBook Air by discarding it in a river; the device was recovered. Coupang said the suspect retained user data for about 3,000 accounts even though millions of accounts were accessed, and that the retained data was deleted from all devices and not transferred to others.
Coupang's response and compensation commitments
Coupang, described in the PIPC notice as an American online retail company operating in South Korea, employs 95,000 people and has reported annual revenue exceeding $30 billion. In late December the company announced a compensation plan: it said it would pay 1.685 trillion won (approximately $1.17 billion) and would begin distributing single-use purchase vouchers of 50,000 won (about $34) per customer starting in January 2026 to compensate more than 33 million affected customers.
What this means for technologists, policymakers, and consumers
- Technologists and security teams: The PIPC's citation of authentication key mismanagement and weak access controls underscores the operational consequences of lapses in credential lifecycle and privileged-access governance. Security teams will watch the PIPC's corrective orders for concrete technical requirements and may adjust controls around key management and auditability accordingly.
- Policymakers and regulators: The scale of the fines and the combination of monetary penalties with corrective and publication orders signals an assertive regulatory posture toward data protection obligations, including notification, data destruction, and protection of data protection officers' independence.
- Consumers and affected account holders: More than 33 million customers were named in Coupang's compensation plan and the PIPC estimates roughly 37.55 million people were affected. Those customers should expect ongoing communications tied to the announced vouchers and the regulator's ordered disclosures.
The PIPC decision closes one chapter in what the regulator called one of South Korea's worst data breaches, but it leaves open operational and legal questions that will play out as the corrective orders are implemented and as compensation distributions commence. The record fine, the subsidiary penalty, the criminal investigation into a former IT employee, and Coupang's multi-trillion-won compensation commitment together make this a prominent case study in how regulators, companies, and affected users contend with large-scale data incidents.
