What happened
South Korea fined online retail giant Coupang more than $400 million over a massive data breach that exposed the data of more than 30 million customers last year.
The fine is the largest ever issued by Seoul’s Personal Information Protection Commission for a data breach. The commission announced a 423.6 billion won fine over the personal data breach, along with an additional 201 billion won for the non-consensual collection of information.
The breach exposed customer names, contact and delivery details, and order histories. Coupang is South Korea’s largest e-commerce platform and is often described as the country’s equivalent of Amazon.
The commission found that a lack of safeguards, including poor management of authentication signing keys and access controls, resulted in the exposure of personal data belonging to around 37.5 million users.
Coupang said it deeply regrets the concern caused and will strengthen its security measures. However, the company also said it plans to challenge the regulator’s decision, arguing that its explanations and measures to prevent further harm were not sufficiently reflected in the commission’s findings.
The decision followed a months-long investigation after allegations of the data leak surfaced in November. Coupang said at the time that it had been alerted to a breach involving 4,500 customer accounts and immediately reported it to authorities. Later checks found that nearly 34 million customer accounts, all in South Korea, were likely exposed.
Coupang said the breach is believed to have begun as early as June through a server based abroad. Following the breach, Coupang boss Park Dae-jun resigned and apologized for the incident. Chief administrative officer Harold Rogers was appointed interim CEO.
Who is affected
Coupang customers in South Korea are affected by the breach. The number of accounts affected represents more than half of South Korea’s population of around 50 million people.
The exposed information included names, contact and delivery details, and order histories. This combination of data could create risks around targeted scams, phishing, delivery-related fraud, and impersonation attempts.
Coupang’s scale makes the breach especially significant. As the dominant e-commerce company in South Korea, the incident affected a customer base large enough to represent a substantial portion of the country’s population.
Why CISOs should care
This incident shows how failures in authentication key management and access controls can lead to large-scale customer data exposure. The regulator specifically cited poor management of authentication signing keys and access controls as safeguards that contributed to the breach.
For CISOs, the penalty also shows the regulatory consequences of large-scale personal data exposure. The fine is the largest ever issued by South Korea’s privacy regulator for a data breach, with an additional penalty tied to non-consensual information collection.
The breach also highlights the operational and executive fallout that can follow major data incidents. Coupang faced a months-long investigation, public scrutiny, a record fine, and leadership change after the breach. For companies handling consumer data at scale, breach response is not only a technical issue. It can become a regulatory, reputational, and governance event.
3 practical actions
- Strengthen authentication key management and access controls: The regulator found that poor management of authentication signing keys and access controls contributed to the exposure of around 37.5 million users’ personal data. CISOs should review how signing keys are generated, stored, rotated, monitored, and revoked, while ensuring access controls limit who can reach sensitive customer systems.
- Prepare breach investigations for shifting impact estimates: Coupang initially reported a breach involving 4,500 customer accounts, but later checks found that nearly 34 million accounts were likely exposed. Security teams should build incident response processes that can handle changing scope, update regulators quickly, and communicate clearly as new facts emerge.
- Treat order history and delivery data as sensitive personal information: The breach exposed names, contact and delivery details, and order histories. Organizations should classify commerce, logistics, and customer activity data as sensitive, limit access to it, and monitor unusual access patterns because this information can support targeted scams and impersonation.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.