Korea fines e-commerce giant $400m over data breach affecting millions

South Korea's antitrust regulator imposed a 400 million dollar fine on e-commerce giant Coupang, marking the country's largest penalty for a data breach. The enforcement action followed exposure of personal information for approximately 37.5 million users.

The Korea Fair Trade Commission determined that Coupang failed to implement adequate security measures and neglected to notify affected users in a timely manner after discovering the breach. The company stored sensitive data including names, phone numbers, email addresses, and identification card numbers without proper encryption protocols.

Coupang, South Korea's leading e-commerce platform and operator of the rapid-delivery service Rocket Delivery, has faced mounting regulatory pressure in recent years. The company now confronts this record penalty alongside ongoing scrutiny over its labor practices and market dominance.

The 400 million dollar fine reflects escalating global enforcement against data mishandling by major tech platforms. Similar penalties have struck companies like Meta and TikTok in recent months as regulators worldwide tighten requirements around user privacy protection and breach notification timelines.

The regulator specifically cited Coupang's delay in alerting consumers to the exposure, which persisted for weeks after the initial compromise. South Korean law mandates prompt notification of breaches affecting personal information. Coupang's failure to comply with these requirements triggered additional violations beyond the security lapses themselves.

The company stated it would cooperate fully with authorities and implement strengthened security infrastructure. Coupang operates one of Asia's most sophisticated logistics networks and processes millions of transactions daily across South Korea. The massive user base affected underscores both the platform's scale and the breach's scope.

This enforcement action signals that South Korea will impose severe consequences for data negligence, even against industry leaders with substantial market positions. The fine positions data security as a non-negotiable requirement for operating large-scale digital services in the region.