This post was originally published on this site.
South Korean e-commerce platform Coupang is under intense scrutiny after confirming a massive data breach that exposed the personal information of 33.7 million users.
The incident, which Coupang acknowledged on Saturday (Nov. 29), is now considered the largest data leak ever recorded in South Korea.
According to the company and a report in The Korea Times, compromised data includes names, email addresses, and information contained in delivery address books, such as phone numbers and detailed street addresses. Some order histories were also exposed. Coupang has not yet disclosed the origin of the breach or whether the exposed information has been misused.
The scale of the leak has sparked widespread concern, given Coupang’s extensive user base and its deep integration into daily life in South Korea. Many customers rely on the platform not only for shopping but also for food delivery, streaming and subscription services, all of which collect significant amounts of personal data.
Possible fine
The Personal Information Protection Commission (PIPC) launched an investigation on Sunday (Nov. 30) to determine whether Coupang failed to implement required safeguards. Under the nation’s law, companies must maintain strict controls over access rights, encryption, and internal data management. Investigators are now examining whether lapses in these areas enabled the breach.
Under the Personal Information Protection Act, the government can impose fines of up to 3 percent of the revenue associated with the compromised data. Coupang’s domestic revenue for the first three quarters of this year reached an estimated 31.226 trillion won, meaning the upper limit of penalties could approach 1 trillion won, or roughly $770 million. If regulators include revenue from Coupang’s integrated subscription ecosystem—covering services such as Coupang Play and Coupang Eats—the final figure could be even higher.
While a penalty of this magnitude would be unprecedented in Korea, it is considered plausible. The largest fine to date was levied against SK Telecom, which paid 134.8 billion won after a breach affecting 23.24 million users. Given the significantly larger scale of the Coupang incident, analysts expect a considerably steeper penalty.
Global precedents
Coupang is not alone in facing potentially massive consequences for mishandling personal data. Major global tech firms have been penalized heavily for privacy violations in recent years. Meta was fined $5 billion in 2019 for sharing Facebook user data with a political consulting firm, while T-Mobile agreed to pay compensation of up to $25,000 per victim following a breach that impacted 76.6 million users. The U.S. carrier ultimately paid $350 million to settle class-action claims.
These international cases underscore a broader trend: regulators worldwide are increasing pressure on large tech companies that fail to protect user data. Analysts say South Korea is now moving in a similar direction, especially as the government positions the country as a future leader in AI—a goal that is difficult to achieve without robust public trust in data governance.
Pattern of past violations
The latest incident is not the first time Coupang has faced criticism for mishandling personal information. The company has received administrative sanctions and fines for multiple data exposure events, all traced to internal errors rather than external hacking.
In October 2021, an app update malfunction briefly exposed the names and shipping addresses of 14 customers under the product search bar. Between August 2020 and November 2021, Coupang Eats mistakenly sent the names and phone numbers of about 135,000 delivery drivers to restaurants. And in December 2023, data belonging to 22,000 customers was exposed through a seller-exclusive platform.
Despite these incidents, the total fines imposed across all three cases amounted to only 1.6 billion won. Regulators typically reduce penalties when companies can show they have taken concrete steps to remedy vulnerabilities, raising the possibility that even in this record-scale breach, the final fine may fall short of the maximum.
For example, SK Telecom’s original penalty of 370 billion won was ultimately reduced to 134.8 billion won after mitigation was applied.
Public pressure
Civic groups argue that Korea’s current system fails to provide meaningful deterrence. They are calling for sweeping reforms, including class-action lawsuit mechanisms, strengthened punitive damages, and mandatory disclosure rules requiring firms to hand over evidence in privacy cases.
Activists contend that without the possibility of existential financial risk, large corporations will continue to treat data protection as a secondary priority. They further warn that repeated breaches undermine Korea’s credibility as it pursues AI-driven economic growth.
Government response intensifies
Facing mounting public anger, presidential chief of staff Kang Hoon-sik today (Dec. 1) ordered senior aides to explore ways to reinforce the punitive damages system. According to presidential deputy spokesperson Jeon Eun-soo, Kang stated that the current system is “virtually ineffective,” limiting the government’s ability to prevent major leaks.
Kang also pointed out that Coupang has suffered four similar incidents since 2021, suggesting not only corporate negligence but systemic weaknesses in South Korea’s broader data protection framework. His remarks signal a growing political will to overhaul existing regulations and introduce harsher consequences for companies that fail to safeguard personal information.
Japanese beverage giant Asahi has confirmed new details regarding the ransomware attack that hit late September.