Coupang faces record fine as data breach exposes millions of users

South Korea’s Personal Information Protection Commission (PIPC) has fined e-commerce company Coupang more than $400 million over a data breach that exposed the personal information of approximately 37.5 million users, the BBC reported.

The penalty is the largest ever issued by the PIPC for a data breach. According to the commission, inadequate safeguards, including weaknesses in the management of authentication signing keys and access controls, contributed to the exposure of customer names, contact information, delivery details and order histories.

The investigation began after allegations of the breach emerged in November. Coupang initially reported that 4,500 customer accounts had been affected, but later found that nearly 34 million accounts in South Korea were likely exposed. The company said the breach may have started as early as June through a server located overseas.

In announcing the fine, the PIPC said Coupang had violated safety obligations and collected personal data without legal grounds.

Coupang said it regrets the concern caused by the incident and plans to strengthen its security measures. However, the company stated that its explanations and efforts to prevent further harm were not sufficiently reflected in the regulator’s decision and that it intends to challenge the ruling through legal channels.