Coupang hackers maintained unauthorized access to Coupang’s systems for five months—from June through November—before anyone inside the company noticed. By the time the breach surfaced, 33.7 million user accounts had been illicitly accessed, a figure large enough to touch a significant share of South Korea’s population.
The failure shifts from intrusion to absence at the centre of the business
The regulator did not describe a sophisticated intrusion. “This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking,” Song Kyung-hee said at a briefing. The distinction matters because it shifts the failure from the perimeter to the centre of the business: not an external breach, but an internal absence.
That absence extended beyond detection. Coupang “delayed breach notifications”, Song said, leaving users exposed after the fact. “Those individuals were unaware of the breach and deprived of the opportunity to take steps to prevent secondary harm,” she added. The consequence is measurable: harm does not end when access stops; it compounds when information moves without resistance.
The state prices governance failure rather than technical lapse
The penalty reflects that view of causality. The fine is by far the largest ever penalty for a data leak in South Korea, following a government-led investigation that blamed the breach on management failure. The state is not pricing the incident as a technical lapse. It is pricing it as a governance failure inside a company that holds data at national scale.
Scale is the point. Coupang is estimated to control about 40 percent of South Korea’s logistics services, and has grown its e-commerce service significantly based on vast customer data. The same data that drives delivery efficiency also concentrates risk. When the system fails, it fails across the same footprint that made it valuable.
The company’s response is to contest the framing. After the fine was announced, Coupang apologised but insisted that “our proactive measures to prevent secondary harm… were not sufficiently reflected” in the regulator’s decision. It has signalled that it would challenge the fine in court. The dispute is not about whether the breach occurred, but about what counts as responsibility once it does.
Legal reform turns delay into liability measured in turnover
That argument is colliding with a legal regime that is moving in one direction. South Korea has passed the most significant amendment to its Personal Information Protection Act, and the reform raises the maximum fine to 10% of total turnover and requires earlier breach notification. It also introduces personal liability for executives. The law rewrites the cost of delay.
The timing is not accidental. South Korea became ground zero for data breaches of unprecedented scale in 2025, including a cyberattack on SK Telecom that compromised the personal information of 23 million subscribers. More than half of the country’s population found themselves victimised in a single year. The state is responding to a systemic exposure, not a sequence of isolated incidents.
That exposure has begun to leak into geopolitics. The probe into the data breach added to trade friction with Washington, where lawmakers accused Seoul of targeting a US-listed company. In April, nearly 100 South Korean politicians sent a joint letter warning against “undue pressure” from US counterparts, after Republicans described the probe as “discriminatory regulatory actions”. A domestic failure has become a bilateral argument.
The underlying tension is not only commercial. In parallel disputes over encryption, a backdoor compelled by one ally “becomes a standing invitation to Beijing, Moscow and Tehran”. “Any access point built into them becomes a permanent target,” one cyber expert warned. The line between compliance and vulnerability is thin, and once crossed, it does not stay local.
Coupang sits directly on that line. It is based in Seattle but generates most of its revenue in South Korea, operating infrastructure that depends on both jurisdictions. Its growth model—built on vast customer data—now meets a regulatory system that treats that same data as a liability unless actively defended.
The company’s position still assumes that scale insulates it. Yet the regulator has already established that the company did not have a system to protect and manage customer information despite its business scale. The law now converts that absence into a percentage of turnover, and the investigation has already named it as management failure. The exposure is not hypothetical.
Coupang is contesting the fine in court, but the structure underneath it has already shifted: a company that controls 40 percent of the country’s logistics is being told that the data underpinning that dominance is no longer an asset it can grow around, but a liability it must price—and that repricing has already begun.
