Back to Knowledge Vault

South Korea fines Coupang $400m over data breach affecting 37.5 million customers

South Korea has issued its largest-ever data breach fine, penalising e-commerce giant Coupang more than $400m after the personal data of 37.5 million customers, more than half the country's population, was exposed.

South Korea''s Personal Information Protection Commission (PIPC) has handed e-commerce giant Coupang a record fine of more than $400m (£299m) over a data breach that exposed the personal information of more than 37.5 million customers. It is the largest data breach penalty ever issued by the regulator, and a stark warning to any organisation holding population-scale customer data inside live, internet-connected systems.

What happened

The PIPC announced a 423.6bn won fine for the data breach itself, with a further 201bn won added for the non-consensual collection of information. The commission concluded that a lack of safeguards, including poor management of authentication signing keys and weak access controls, had resulted in the names, contact details, delivery addresses and order histories of roughly 37.5 million users being exposed.

Coupang first told authorities in November that around 4,500 accounts had been affected. Later checks revised that figure to nearly 34 million accounts, with the intrusion believed to have started as early as June through a server based abroad. Following the breach, Coupang''s chief executive Park Dae-jun resigned, and chief administrative officer Harold Rogers was appointed interim CEO.

Why this breach is so significant

Coupang is South Korea''s dominant e-commerce platform, often described as the country''s Amazon. The 37.5 million figure represents more than half of South Korea''s population of around 50 million. Few breaches in any market reach that level of national exposure.

Two details from the PIPC findings matter most for security leaders:

• Authentication signing keys were not properly managed
• Access controls were not sufficient to contain the intrusion

Together, those two failures allowed an attacker who reached a foreign-hosted server to pivot into systems holding tens of millions of customer records. This is not a story about a single zero-day or a clever phishing lure. It is a story about how connected systems, weak key hygiene and broad access combine into a worst-case outcome.

The regulatory pattern is hardening

The Coupang fine follows a series of high-profile South Korean cyber incidents, including a nearly $100m penalty against mobile operator SK Telecom over a breach affecting more than 20 million subscribers. Regulators across Asia, the EU and the UK are moving in the same direction: larger fines, faster enforcement, and reduced tolerance for organisations that treat data protection as a paperwork exercise.

For UK and EU operators, the read-across is clear. The ICO, the Garante, the CNIL and others are watching the same risk surface. The combination of poorly managed cryptographic material and overly broad system access is increasingly treated as gross negligence rather than misfortune.

The Firevault view

Mark Fermor, Director and Co-co-founder of Firevault, on what the Coupang case shows:

"Every breach of this size has the same shape. Live data, connected systems, signing keys held inside the blast radius, and access controls that look fine on a diagram and fail in practice. Once an attacker is past the perimeter, scale is just a query.

"Offline secure storage is not a backup strategy. It is a containment strategy. If your most sensitive cryptographic material and your authoritative customer records sit behind a physical boundary that an attacker cannot reach over a network, the worst day looks completely different. You lose a server, not a country.

"Firevault and Firebreak exist to make that boundary real. Hardware-enforced isolation for the data and the keys that matter most, with controlled, auditable paths in and out. That is what regulators are increasingly expecting to see, and it is what stops a single intrusion turning into a national-scale fine."

What organisations should take from this

• Treat signing keys, root credentials and master records as crown jewels that must live outside live, internet-facing systems wherever possible
• Assume any user-facing service can be reached, and design containment so that reach does not equal exposure
• Test access controls against realistic attacker paths, not just policy documents
• Plan for regulator scrutiny in proportion to the data you hold, not the revenue you earn

Coupang''s fine is not an outlier. It is the new baseline for organisations that store population-scale data on always-connected infrastructure. The defensible posture is to put the data that would end your business behind a boundary that the internet cannot cross.

Learn more about how Firevault protects enterprise data with offline secure storage, or explore the Control deployment model for hardware-enforced isolation of sensitive systems.

Share this article