South Korea has imposed a record fine of more than $400 million (£299m) on e-commerce giant Coupang following a major data breach that exposed the personal information of tens of millions of customers.
The penalty, issued by Seoul’s Personal Information Protection Commission (PIPC), is the largest ever handed down by the regulator for a data privacy violation.
Authorities say the breach exposed names, contact details, delivery information and purchase histories belonging to users of Coupang, the country’s largest online retail platform, often compared to Amazon.
Coupang told the BBC it “deeply regrets the concern caused” and said it would strengthen its security systems, although it plans to challenge the regulator’s decision.
The number of affected accounts is believed to exceed 30 million—more than half of South Korea’s population of around 50 million.
On Wednesday, the PIPC announced a 423.6 billion won fine for the data breach, along with an additional 201 billion won penalty for unlawful collection of personal information.
Investigators found that weak security controls, including poor management of authentication keys and access permissions, led to the large-scale exposure of user data, estimated at around 37.5 million accounts.
Coupang, however, said its explanations and remedial actions were not adequately reflected in the regulator’s final decision. It added that it expects the matter to be clarified through legal proceedings once it receives the official ruling.
The ruling follows a months-long investigation triggered after allegations of a data leak surfaced in November.
Although Coupang is headquartered in the United States, the bulk of its business and revenue comes from South Korea.
The company previously said it first detected suspicious activity affecting about 4,500 accounts in November and immediately notified authorities. However, subsequent internal investigations suggested that up to 34 million accounts in South Korea may have been exposed, with the breach potentially dating back to June and originating from an overseas server.
Following the incident, Coupang’s then-chief executive Park Dae-jun stepped down, issuing an apology. Chief administrative officer Harold Rogers has since been serving as interim CEO.
The case adds to a growing list of cybersecurity breaches in South Korea, despite the country’s strong reputation for digital security. Last year, major telecom provider SK Telecom was also fined nearly $100 million after a breach affecting more than 20 million subscribers.