Coupang has been dealt a historic blow by South Korea's privacy watchdog, receiving a record-breaking 624.7 billion won fine for a massive 2025 data breach and unlawful user tracking.
The sheer scale of this penalty is significant. It represents about 1.27% of Coupang's 2025 revenue and wipes out approximately 87% of its operating income for that year. When combined with the 1.685 trillion won compensation package already distributed to affected users, the total direct financial hit climbs to over 2.3 trillion won. This figure surpasses the company's entire adjusted EBITDA for 2025, highlighting the material impact on its finances.
The root of this penalty traces back to mid-2025. First, a former employee allegedly created a system to improperly access user data between June and October. Second, this vulnerability led to extortion attempts in November, confirming that sensitive data had been exfiltrated. Finally, this culminated in the public disclosure of the breach in December 2025, which affected nearly 34 million users and officially triggered the investigation by the PIPC.
The path to this record fine was paved with escalating tensions and revelations. In January 2026, Coupang rolled out its massive voucher program, an implicit admission of the breach's severity. However, this was followed by a public warning from the PIPC against the company releasing unconfirmed details. By February, a joint investigation confirmed the staggering scale of the breach—over 33 million accounts accessed—which provided the factual basis for a severe penalty.
This decision didn't happen in a vacuum. It's the culmination of mounting regulatory pressure from multiple agencies, including several other fines from the Fair Trade Commission. Furthermore, the penalty was issued amid heightened U.S.-Korea trade scrutiny, with U.S. investors initially petitioning the USTR under Section 301 over alleged discriminatory treatment. This complex backdrop likely reinforced the regulator's need to apply its rules strictly and impartially.
Ultimately, this landmark fine sets a new precedent for data privacy enforcement in South Korea, signaling to all large platforms that failures in basic security and user trust will come with a steep price.
[Glossary]
- PIPC (Personal Information Protection Commission): South Korea's independent government agency responsible for protecting personal data.
- Adjusted EBITDA: A financial metric that measures a company's operating profitability before non-cash charges and interest/tax expenses. It is often used to assess performance.
- Section 301: A part of U.S. trade law that allows the U.S. Trade Representative (USTR) to investigate and take action against foreign trade practices deemed unfair or discriminatory.