According to the authority's investigation, deficiencies in authentication keys and access controls led to the exposure of personal information belonging to approximately 37.5 million users. Coupang, on the other hand, claims that only 3,000 accounts were affected. The company is also found guilty of collecting and storing online activity from 11.17 million users via third-party apps without legal basis.
The authority's chairman, Song Kyung-hee, criticizes the e-commerce retailer for not informing those affected within the prescribed 72 hours:
As a result, these individuals were unaware of the breach and deprived of the opportunity to take measures to prevent secondary damage.
Financial Hit and Political Tensions
The fine amount is the highest in South Korean history for a data leak and corresponds to the majority of Coupang's operating profit from last year (721.1 billion won). The company has apologized for the situation but adds in a statement:
After receiving the commission's official decision, we expect the facts to be clearly established through legal proceedings.
Since Coupang is listed and registered in the USA, the legal process has created diplomatic tensions between Seoul and Washington. American politicians have accused the investigation of being discriminatory towards American companies, while nearly 100 South Korean members of parliament have protested what they consider to be external pressure on the country's authorities.
Previous Compensation Met with Criticism
The data leak was discovered in November last year and is suspected to have been caused by a former employee. No passwords or payment details are said to have been leaked.
Coupang launched in early 2026 a compensation package in the form of value vouchers worth approximately 11 billion Swedish kronor. However, the initiative received criticism from South Korean consumer organizations who argued that the setup primarily functioned as a marketing trick to drive more sales on its own platform.