Why it matters. Coupang is South Korea's largest online retailer, so a breach touching 37.5 million people — most of the adult population — and a record fine signal how aggressively Korean regulators are now policing Big Tech's data practices.
Background. South Korea's Personal Information Protection Commission (PIPC) is an independent government body with broad power to fine companies a percentage of related revenue. The country has some of the world's strictest privacy laws, and Coupang, often called the 'Amazon of Korea,' is a NYSE-listed firm whose dominance makes it a high-profile target. The 'blacklist' finding — tracking journalists — is especially sensitive given Korea's contentious history of corporate and state monitoring of the press.
What to watch next. Coupang has signaled it will fight the fine in court, so the case is headed for a prolonged legal battle that could test the limits of the PIPC's authority.
South Korea’s largest-ever privacy penalty
South Korea’s data protection regulator has fined Coupang, the country’s dominant e-commerce platform, a record 624.6 billion won (about US$450 million) over a massive data breach and the unauthorized collection of users’ online activity. The Personal Information Protection Commission (PIPC) announced the decision on June 11, 2026, after a full-bench vote the previous day, calling it the largest fine it has ever imposed.
The penalty bundles several violations. The single largest component, 423.6 billion won, relates to a hacking incident that the commission concluded exposed the personal data of roughly 37.55 million people because Coupang failed to meet basic security obligations. The regulator also imposed a smaller administrative fine of 16.8 million won and said it would refer Coupang to investigators on suspicion of obstructing its inquiry.
What was exposed
According to the PIPC, hackers accessed Coupang systems between April and November 2025, leaking the names, email addresses and other details of 33,222,472 registered members and at least 4,338,368 non-members — more than 37.5 million people in total. The exposure of non-member data was confirmed for the first time during this investigation. The commission said the breach stemmed from inadequate basic security management and lax oversight.
For context, Coupang is often described as the “Amazon of South Korea,” with tens of millions of customers in a country of about 52 million people, making a leak of this scale unusually broad in its reach.
A separate tracking scandal
Investigators uncovered a second, previously unknown practice: between December 2024 and February 2026, Coupang allegedly collected and stored records of its members’ activity on third-party websites and apps. The commission said this affected about 11.17 million users across more than 15.6 million web pages or apps, and drew a fine of 201.1 billion won.
The PIPC warned that such data is personally identifiable on its own and could be used to infer sensitive details — a person’s beliefs or health, for example — posing a serious risk to individuals’ rights.
Blacklist and health-data findings
The regulator added two further penalties. It fined Coupang Fulfillment Services (CFS), a logistics arm, 220 million won over an alleged “blacklist”: a list of police press-corps reporters kept and managed as an employment-restriction record. A further 28 million won was levied for obtaining employees’ health-management information without legal basis.
PIPC Chairperson Song Kyung-hee said the commission had imposed penalties “commensurate with responsibility, in accordance with law and principle,” citing both the neglect of basic safeguards and the infringement of individuals’ right to control their own personal data.
Coupang’s response
Coupang expressed “regret” over the decision and signaled it would mount a legal challenge, meaning the record fine is likely to be contested in court rather than settled immediately.
