What Happened
On June 11, 2026, South Korea's Personal Information Protection Commission (PIPC) voted at a plenary session to impose ₩624.7 billion (approximately $409 million) in penalties on e-commerce giant Coupang and its logistics subsidiary Coupang Fulfillment Services — the largest data-breach sanction in PIPC history, surpassing the previous record of ₩134.8 billion levied against SK Telecom only months earlier.
The fine breaks into two parts: ₩423.6 billion for the underlying breach of South Korea's Personal Information Protection Act (PIPA), and ₩201.1 billion for Coupang's separate, covert collection of browsing data from roughly 11.17 million users across third-party websites through its Coupang Partners advertising program — conducted without legal consent and in violation of PIPA's lawful-basis requirements.
The incident that triggered the primary penalty began in April 2025. A former software engineer — a Chinese national who had left Coupang at the end of 2024 — had himself built the company's alternative authentication system and, before departing, retained the signing key that underpinned it. From April 14 to November 8, 2025, he used that key to forge authentication tokens, bypassed Coupang's gateway controls, and scraped customer records in hundreds of millions of automated queries. The final tally: 33.2 million registered member accounts plus 4.3 million non-member delivery recipients — roughly two-thirds of South Korea's entire population — had names, phone numbers, email addresses, physical addresses, and order histories exposed.
The Aggravating Factor That Makes This Case Exceptional
Data breaches happen. What distinguishes the Coupang case — and what legally justifies a penalty at the top of PIPA's enforcement range — is what happened after the breach was discovered.
On November 21, 2025, one day after Coupang filed its initial breach notification, authorities issued a formal evidence-preservation order for web access logs. Six days later, Coupang manually deleted approximately six months of those logs. The deletion erased roughly 13% of log data covering the attack period, permanently foreclosing identification of additional victims. PIPC referred the log destruction for criminal prosecution.
This is not a procedural quibble. Deliberate destruction of evidence under an active preservation order is obstruction. It eliminates the possibility of knowing how many people were actually harmed. Any proportionality analysis must weigh not just the 37.5 million confirmed victims but the unknown further population rendered unidentifiable by Coupang's own actions.
The PIPC's characterisation of the breach as "self-inflicted" is accurate: the root cause was not a sophisticated zero-day exploit but elementary security hygiene failures — specifically, the failure to rotate authentication credentials after a privileged employee departed. The commission found a current Coupang developer was still storing a signing key on a personal laptop at the time of investigation, suggesting the authentication-key laxity was not a one-off lapse but a systemic practice.
Steelmanning the Critics
The criticism deserves a fair hearing. Coupang's total fine of ₩624.7 billion is roughly equivalent to the company's entire operating profit in the prior fiscal year. Its Q1 2026 results already reflected a ₩354.5 billion operating loss, largely attributable to the ₩1.69 trillion in platform vouchers the company had offered as customer compensation. Piling a near-annual-profit penalty on top of what is already a self-imposed restitution exercise could reasonably constrain the infrastructure investment Coupang has committed — ₩3 trillion in logistics expansion since 2024.
Professor Jung Yeon-sung of Dankook University raised a valid structural point: South Korea's current revenue-percentage formula means large platforms face dramatically higher absolute fines than smaller companies for comparable breaches, even when the smaller company may have exposed more sensitive data. Duo, a matchmaking platform, received only ₩1.2 billion despite exposing 427,000 sensitive records. That asymmetry is a real design problem in PIPA's penalty structure, one the 2026 PIPA amendments (effective September 11, 2026, raising the maximum to 10% of revenue and adding personal CEO liability) do not solve.
Why the Fine Is Still Defensible
The proportionality critique, however valid as a structural matter, collapses when applied to this specific case. The 3% of revenue ceiling under current PIPA is not a suggested penalty — it is the maximum. The PIPC applied it to a company that:
- Failed to rotate credentials after a privileged engineer's departure, enabling a seven-month undetected intrusion;
- Ran a parallel, unconsented tracking program on 11 million users;
- Deliberately destroyed evidence under an active court order; and
- Delayed breach notification by five months.
These are not degrees of ordinary negligence. The evidence-destruction finding alone elevates this from a technical compliance failure to deliberate misconduct. Where regulators have a graduated penalty range, the most egregious cases should sit at the top.
The Diplomatic Distraction
The most troubling element of the Coupang case is not the fine itself but the political pressure surrounding it. US Secretary of State Marco Rubio has reportedly indicated the Coupang penalty has complicated trade negotiations with Seoul. Fifty-four Republican lawmakers signed a letter characterising the fine as discriminatory against US companies. Korea's Foreign Ministry found itself obliged to clarify that the investigation was "fair and in accordance with procedures set by domestic law."
This framing is dangerous. The PIPC is an independent regulatory body that imposed a fine on a company — regardless of its US listing on the NYSE — for violating Korean law, destroying evidence under a Korean preservation order, and secretly tracking Korean consumers without consent. The nationality of the company's shareholders is irrelevant to whether its conduct violated PIPA.
If the US trade-pressure argument succeeds in diluting Korea's enforcement posture, it will not protect American innovation — it will protect American companies from accountability for misconduct in foreign markets. That is not a pro-innovation position; it is a get-out-of-jail card. No jurisdiction should accept it.
What the Coupang Case Tells Regulators Globally
South Korea's PIPA regime is tightening. The September 2026 amendment, now weeks from taking effect, introduces penalties of up to 10% of total revenue for repeated or large-scale violations and places personal liability on CEOs. The Coupang case, decided under the old 3% ceiling, suggests the PIPC is already willing to reach for the top of its range when facts warrant it.
The correct lesson for platforms operating in Korea — and in any jurisdiction with a GDPR-style privacy regime — is not that fines are becoming politically weaponised, but that basic security hygiene and evidence-preservation obligations are non-negotiable. Rotating credentials when privileged staff depart is not an advanced privacy practice; it is table stakes. Destroying logs after a preservation order is not a calculated risk; it is criminal exposure.
Coupang has announced it will contest the fine in administrative court. The legal challenge is its right. But the PIPC's factual record — a retained signing key, a seven-month undetected intrusion, and a deliberate post-order log wipe — is a strong one. Evidence destruction rarely improves a company's litigation position.