Asia

South Korea fines Coupang over massive data breach

Privacy regulator cites exposure of data tied to more than 34 million customers, insider access turns into a $400 million balance-sheet event

Images

Image Credits:Coupang Image Credits:Coupang techcrunch.com
Zack Whittaker Zack Whittaker techcrunch.com
North Korean soldiers attend a mass rally to celebrate the North's declaration on November 29 it had achieved full nuclear statehood, on Kim Il-Sung Square in Pyongyang on December 1, 2017. North Korea's leader Kim Jong-Un declared the country had achieved a "historic cause" of becoming a nuclear state, its state media said on November 29, after the country tested an intercontinental ballistic missile earlier in the day. North Korean soldiers attend a mass rally to celebrate the North's declaration on November 29 it had achieved full nuclear statehood, on Kim Il-Sung Square in Pyongyang on December 1, 2017. North Korea's leader Kim Jong-Un declared the country had achieved a "historic cause" of becoming a nuclear state, its state media said on November 29, after the country tested an intercontinental ballistic missile earlier in the day. techcrunch.com
ServiceNow logo at Singapore FinTech Festival in November 2023. ServiceNow logo at Singapore FinTech Festival in November 2023. techcrunch.com
A delivery driver for Coupang's Dawn Delivery service A delivery driver for Coupang's Dawn Delivery service techcrunch.com

A South Korean privacy regulator has fined Coupang 624 billion won, more than $400 million, after a data breach exposed personal information tied to more than 34 million customers, according to TechCrunch. The Personal Information Protection Commission said the breach was discovered in December 2025 and lasted for months, with a former employee obtaining data including names, email and shipping addresses, phone numbers and order histories.

For Coupang, which TechCrunch describes as headquartered in the US but dominant in South Korea, the size of the penalty turns a familiar breach story into a cross-border compliance problem. The commission framed the decision as the maximum penalty available, and Coupang said it will challenge the ruling. That contest will run on two tracks at once: the technical dispute over what safeguards failed, and the political dispute over whether a flagship foreign-listed firm is being made an example of.

The case also illustrates how data protection enforcement is becoming a revenue event for regulators and a balance-sheet event for platforms. A breach that affects “millions” is no longer just a customer-service crisis; it is a line item large enough to change investment and hiring plans. Companies that built growth around aggressively centralised customer databases now have to price in the cost of keeping those databases locked down, audited, and internally segmented so that one credential does not open the whole warehouse.

TechCrunch reports that lawmakers in South Korea accused some US lawmakers of political pressure related to the case, and that US representatives linked the breach to bilateral ties as the case against Coupang executives moved forward. That kind of linkage makes enforcement harder to treat as a purely domestic matter: once sanctions and prosecutions are framed as diplomatic friction, every next breach at a foreign firm becomes a test of consistency.

At the same time, the underlying vulnerability described by TechCrunch is not exotic hacking but insider access: a former employee allegedly obtained data on a scale that the report characterises as about two-thirds of South Korea’s population. That is the scenario most difficult to solve with perimeter security alone, because it depends on how access is granted, logged, and reviewed inside the company.

The regulator’s decision now lands on Coupang’s lawyers and accountants, but its facts are mundane: a breach discovered in December 2025, months of exposure, and customer records concentrated enough that one employee could walk away with them.