South Korea’s privacy regulator imposed a record fine on e-commerce giant Coupang on June 12 after finding that the company exposed the personal information of 37.56 million individuals, a case that has become a turning point in the country’s efforts to strengthen data-protection enforcement.
The Personal Information Protection Commission, or PIPC, said Coupang would face penalties totaling 624.68 billion won, equivalent to roughly $460 million, for a massive data breach and for collecting online activity data from approximately 11.17 million users without a legal basis.
The case has drawn attention not only because of its scale but also because of the company’s handling of the incident.
When Coupang first disclosed the breach in November 2025, it reported that roughly 4,500 records had been compromised. Nine days later, the company revised the figure to approximately 33.7 million records, increasing the reported scale by about 7,500 times and triggering widespread public criticism.
The breach surpassed the scale of the cyberattack that affected approximately 23.24 million subscriber identity module, or SIM, records at SK Telecom, one of South Korea’s largest telecommunications providers.
The succession of large-scale data incidents has intensified pressure on lawmakers and regulators to strengthen corporate accountability for privacy failures.
President Lee Jae-myung, during a government briefing in December 2025, questioned the effectiveness of existing penalties, arguing that fines were too small to deter companies from violating privacy regulations.
The controversy helped accelerate legislative action. In February 2026, South Korea’s National Assembly approved amendments to the Personal Information Protection Act allowing regulators to impose penalties of up to 10% of a company’s total revenue in cases involving repeated violations caused by willful misconduct or gross negligence, or breaches affecting more than 10 million individuals.
The revised law is scheduled to take effect on Sept. 11, 2026.
Under the previous framework, penalties were capped at 3% of annual revenue.
Regulators have also revised the methodology used to calculate fines. Amendments that took effect in May require authorities to use whichever figure is larger—the company’s revenue from the previous fiscal year or the average revenue from the previous three fiscal years—when determining penalties. The change addresses concerns that rapidly growing technology and platform companies could face fines that fail to reflect their current economic scale.
Officials say the revisions will allow regulators to impose sanctions more closely aligned with a company’s financial resources and the severity of a violation.
Yet the Coupang case also highlights a limitation of the new system.
Because administrative penalties generally must be based on laws in force at the time of a violation, the tougher sanctions cannot be applied retroactively to Coupang or to other previously investigated cases.
Industry observers say that while the company will avoid the harsher penalties available under the revised law, the breach has nonetheless reshaped South Korea’s approach to data protection.
“The stronger enforcement provisions cannot be applied to incidents that occurred before the law changed, which is unfortunate,” a cybersecurity industry official said. “But these large-scale breaches created the momentum for reform, and regulators now have a much stronger framework for holding companies accountable in future cases.”
The record penalty marks one of the most significant privacy-enforcement actions in South Korean history and signals a broader shift toward tougher oversight of technology companies handling vast amounts of consumer data.
