South Korea has imposed a record fine of $409 million on Coupang, the country's largest online retailer, following a significant data breach that exposed personal information of nearly two-thirds of its population. The Personal Information Protection Commission cited Coupang for failing to implement adequate cyber security measures. The issue arose when a former employee exploited a vulnerability in the company's overseas servers, prompting a backlash and leadership resignations within the company. This fine is the largest ever for a single data breach in South Korea, and it is expected to complicate diplomatic relations between South Korea and the U.S. over tech regulations.

Accessibility help Skip to navigation Skip to main content Skip to footer

Add to myFT

Get instant alerts for this topic

Manage your delivery channels here Remove from myFT

‘South Korea’s Amazon’ hit with record fine over data breach

Coupang told to pay $409mn after hack that exposed personal information of nearly two-thirds of population

A Coupang employee wearing a mask unloads a reusable bag of fresh food from a delivery truck. Coupang is South Korea’s largest private-sector employer after Samsung© SeongJoon Cho/Bloomberg

Song Jung-a in Seoul

PublishedJune 11 2026

UpdatedJune 11 2026

Jump to comments section Print this page

Unlock the Editor’s Digest for free

Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.

South Korea has slapped a record fine on Coupang, the country’s largest online retailer, over a data breach that hit most of its population, in a move that could worsen a diplomatic spat with the US over tech regulation.

The Personal Information Protection Commission fined Coupang Won624.6bn ($409mn) on Thursday, saying the company — which is registered in Delaware but makes most of its revenue in South Korea — was lax in its cyber security controls.

“The company neglected to implement adequate measures to detect and respond to unauthorised external access,” Song Kyung-hee, head of the commission, told reporters.

The decision followed months of investigations into the company, known as “South Korea’s Amazon”, after a hack exposed the personal information of nearly two-thirds of the country’s 51mn people. Lawmakers have called for Coupang, which reported Won49tn in sales in 2025, to pay as much as Won1.2tn in penalties.

Thursday’s fine is the largest on a single company in South Korea for a data breach, according to the commission, which said Won423.6bn was for the hack while Won201bn was for collecting and using customers’ personal information without their consent.

Coupang said it was “regrettable” that measures it had put in place after the data breach and its explanations were “not sufficiently reflected” in the commission’s decision.

“We look forward to the facts being clearly clarified through legal proceedings after receiving the official resolution,” it said.

Founded in 2010 by Korean-American Harvard graduate Bom Kim, Coupang became the country’s largest ecommerce group through its overnight “rocket delivery” service.

Backed by Japan’s SoftBank, the company has 25mn active members across services ranging from food delivery to streaming. It is South Korea’s largest private-sector employer after Samsung.

Authorities said the data breach began in April through Coupang’s overseas servers, but the company only became aware of it in November. A former employee had used a private encryption key that had remained active to access customer information, according to authorities.

The delayed response triggered a public backlash and customer exodus. The chief executive of Coupang’s South Korean subsidiary resigned, and President Lee Jae Myung called the case a wake-up call for stronger cyber security.

Coupang last month reported a $242mn operating loss in the first quarter and warned of slower revenue growth this year as security concerns discouraged some consumers from using the platform.

The case became a diplomatic issue after a group of Coupang investors petitioned Washington under Section 301 of the Trade Act, which allows the US government to investigate and retaliate against foreign trade practices deemed unfair. They later withdrew the petition.

The dispute highlights the risk governments face when regulating US companies as Washington increasingly treats foreign regulatory actions as non-tariff trade barriers. South Korean officials have said they remain committed to ensuring US companies are “not discriminated against and do not face unnecessary barriers” under laws governing digital services.

“The fine’s unprecedented amount is likely to fuel Washington’s suspicion that US companies are being targeted in Korea,” said Lee Jae-min, a law professor at Seoul National University. “It could increase tensions unless Seoul thoroughly explains how the penalty was calculated.”

Under South Korean law, companies that fail to implement adequate data protection measures can be fined up to 3 per cent of revenue. Authorities can also seek punitive damages of up to five times actual harm if a data leak results from wilful misconduct or gross negligence.

Reuse this content(opens in new window) CommentsJump to comments section

Follow the topics in this article

Technology sector

Add to myFT

Data protection

Add to myFT

Asia-Pacific companies

Add to myFT

South Korean business & finance

Add to myFT

Coupang

Add to myFT

Comments

Close side navigation menu

Search the FTSearch

Subscribe for full access

Read Original at Financial Times →