South Korea fines Coupang $409 million in record data breach case

South Korea hit Coupang with a 624.7 billion won, or about $409 million, privacy penalty after a breach exposed the personal data of roughly 37.5 million users, a scale that underscores how aggressively some regulators abroad are willing to punish data failures. For American consumers, the case raises a blunt question: when breaches affect tens of millions, are U.S. users being protected as forcefully as their counterparts overseas?

South Korea’s Personal Information Protection Commission said the fine was driven not only by the exposure of customer information but also by Coupang’s unauthorized collection of online user activity data. The penalty is the largest privacy fine in South Korea’s history and tops the previous record, an 88 million dollar sanction against SK Telecom last year.

The case also puts a hard number on the business cost of a massive data lapse. Reuters calculated the penalty at about 1.4% of Coupang’s 2025 revenue of 45 trillion won. Korean media reported that the fine is roughly equivalent to Coupang’s 2025 operating profit of 721.1 billion won, a striking reminder that even a record sanction may still land within the scale of a company’s annual earnings.

The government’s move capped a months-long investigation into Coupang, which is incorporated in the United States. The leak allegations first surfaced in November 2025, setting off a probe that ended with the regulatory finding that the company had mishandled both exposed customer data and user activity information. Coupang said it was sorry for the concern caused and said it would challenge the fine in court.

The case also turned politically sensitive. In April 2026, South Korean lawmakers objected to what they described as U.S. political pressure over the investigation, warning that attempts to influence the legal process would infringe on Korea’s judicial sovereignty. Nearly 100 lawmakers signed a letter making that argument, and the dispute widened beyond privacy compliance into a test of national regulatory independence.

For South Korea, the penalty is a signal that privacy violations tied to large platforms will carry serious financial consequences. For U.S. policymakers, it is an uncomfortable comparison: another country has now imposed a record data-breach penalty on a company with American roots, and the gap in enforcement is impossible to ignore.