South Korea's Personal Information Protection Commission ordered a massive fine of 624.68 billion won (about 13.4 billion baht) against Coupang, the country's largest online shopping platform, after investigations revealed lax security systems that caused the personal data of 37.5 million customer accounts to leak.
The Personal Information Protection Commission (PIPC) of South Korea announced a penalty against Coupang, the e-commerce giant often called the "Amazon of South Korea," imposing a fine of up to 624.68 billion won, equivalent to more than 13.4 billion baht.
This penalty represents the highest-ever fine in South Korea for a data breach case, surpassing the previous record set by SK Telecom, a major mobile network operator, which was fined about 88 million U.S. dollars last year. The PIPC cited Coupang's failure to comply with security obligations and the unlawful collection of citizens' personal data without legal grounds.
South Korean authorities found the breach resulted from inadequate basic preventive measures, ineffective management of decryption keys, and lax system access controls. Consequently, personal data of approximately 37.5 million user accounts were exposed externally—amounting to more than half of South Korea's total population of around 50 million.
The leaked data included customers' names, contact information, delivery details, and purchase histories. Furthermore, the PIPC discovered that Coupang secretly collected online activity logs of about 11.17 million shoppers from third-party websites and applications, storing them in an identifiable manner, which is illegal.
Additionally, Song Kyung-hee, chairperson of the PIPC, stated that the law requires companies to notify affected individuals within 72 hours. However, Coupang "delayed notification and shirked responsibility," preventing the public from knowing and losing the chance to guard against potential further harm.
The crisis began forming in June last year through servers located overseas, before complaints arose and news reports appeared in November. Initially, the company reported only 4,500 affected accounts, but internal investigations later revealed nearly 34 million accounts might have been exposed, while government figures cited as many as 37.5 million. Nevertheless, Coupang continues to contest in court, claiming only 3,000 records were affected.
Following the incident, Coupang's CEO, Park Dae-joon, immediately resigned to accept responsibility and apologize publicly. Harold Rogers, the Chief Operating Officer, took over as interim CEO.
The e-commerce giant issued a statement expressing deep regret over the concerns caused to customers and the public, pledging to enhance cybersecurity measures. "However, we regret that the proactive measures we took to prevent harm, along with fact-based explanations, were not sufficiently considered by the commission's decision. We expect all facts to be clarified through the legal process," the statement said.
A key point of interest is that this case is becoming a trigger for geopolitical and economic tensions between South Korea and the United States, as Coupang is registered as a company in the U.S. and listed on the New York Stock Exchange, despite deriving nearly all its revenue from the South Korean market.
Previously, members of the U.S. Republican Party criticized South Korea's investigation as "selective regulatory measures" against American businesses. Local media reported that the U.S. government even threatened to suspend high-level security talks with South Korea unless legal protections were guaranteed for Kim Bum-suk, Coupang's chairman who holds American citizenship.
Kim Dae-jong, a business professor at Sejong University in Seoul, analyzed, "The extraordinarily high fine surpassing that of SK Telecom may provoke strong opposition from the U.S., as it will be seen as an excessive penalty. Coupang will certainly continue to fight the case vigorously in court."
. AFP /BBC