South Korea’s Personal Information Protection Commission handed Coupang a 624.7 billion won ($412 million) penalty on June 10, the largest privacy enforcement action in Korean history. Approximately two-thirds of the country’s population had their data exposed.
The PIPC split the penalty: 423.6 billion won for the data leak itself, 201.1 billion won for collecting personal data without consent. Coupang Fulfillment Services received a separate fine for using customer data to build an employment restriction list.
PIPC Chairperson Kyung Hee Song didn’t attribute the breach to advanced hacking techniques. She cited “negligent management” and an “inadequate basic safety management system” that failed to keep pace with Coupang’s expansion. I read Coupang’s December 16, 2025 Form 8-K: a former employee had unauthorized access to data across approximately 33 million accounts, undetected for months.
It’s got a US dimension too. Coupang is incorporated in the United States and listed on the American stock market. Greenoaks Capital Partners alleged “discriminatory treatment” and requested a US government investigation. Korean lawmakers pushed back, calling it political interference.
A California class action, Barry v. Coupang, claims the company misled investors by understating its cyberattack exposure and overstating its data safeguards in official filings. Timely disclosure is also at issue.
Every fast-scaling platform is going to face this question: privileged-access controls don’t expand on their own. This breach came from an insider with standing access, not a zero-day. Any security team still running “we are assessing the root cause” on a similar incident should check whether their access logs cover departures from the prior 18 months.
Worth auditing your own access revocation controls this quarter.
— Rebecca Lauren