South Korea's Personal Information Protection Commission (PIPC) has fined e-commerce giant Coupang 624.68 billion won ($456 million) after concluding that poor security practices led to a data breach affecting approximately 37.5 million people.
The decision follows a November 2025 breach disclosure that initially involved only 4,536 accounts but later expanded dramatically.
According to the PIPC's findings, attackers gained access to personal information belonging to 33.2 million Coupang members and at least 4.3 million non-members whose details appeared in customer delivery records. The regulator said the breach was caused by inadequate management of authentication signing keys and insufficient monitoring of suspicious activity.
The attacker was a former employee who had participated in developing a backup authentication system while working at the company. After leaving Coupang in late 2024, the individual allegedly used a retained authentication signing key to generate forged authentication tokens and access customer systems between April and November 2025.
The stolen data included names, email addresses, phone numbers, delivery addresses, and order information. The attacker reportedly combined data from multiple systems to build detailed customer profiles before sending extortion emails containing sample records to both Coupang and affected users.
PIPC
Coupang operates the country's largest e-commerce platform and logistics network, serving tens of millions of customers through online retail, delivery, food delivery, and streaming services.
The PIPC concluded that the incident was not the result of sophisticated hacking techniques but rather basic security failures. According to the regulator, authentication signing keys could be viewed by employees who did not require access, were not properly rotated after employee departures, and remained vulnerable to misuse. The company also failed to detect months of abnormal activity, including millions of suspicious requests targeting systems containing customer information.
The regulator identified several additional violations during its investigation, including delayed breach notifications, failure to delete some former customer records in accordance with internal policies, and deletion of logs after authorities had ordered evidence preservation.
Beyond the breach itself, the PIPC found that Coupang unlawfully collected browsing activity from approximately 11.17 million users who visited third-party websites and mobile apps that participated in its “Coupang Partners” advertising program. According to the regulator, the company stored records such as visited URLs, app names, IP addresses, timestamps, and device identifiers without obtaining valid user consent. The practice resulted in a separate penalty of 201.1 billion won ($147 million).
The PIPC also fined Coupang Fulfillment Services (CFS), the company's logistics subsidiary, 248 million won ($181,000) after finding that it improperly maintained personal information on 71 journalists in an employment restriction database and unlawfully used employee weight data collected for health management purposes during litigation.
In total, regulators imposed 624.68 billion won ($456 million) in penalties and ordered Coupang to strengthen authentication key management, improve monitoring and access controls, notify affected non-members whose information was exposed, and revise its data retention practices.
While the PIPC said it has not found evidence that the stolen data has been publicly distributed, it warned that the exposed information could still be used in phishing, smishing, spam, and fraud campaigns, urging affected individuals to remain vigilant.
Leave a Reply