A South Korean privacy regulator imposed its largest-ever fine over a large-scale personal data breach at Coupang that occurred in November last year.

The Personal Information Protection Commission held a plenary meeting on Tuesday and imposed a 624.7 billion won fine and a 16.8 million won penalty on Coupang for violating obligations to take safety measures and collecting personal data without a legal basis.

That far exceeds the 134.8 billion won fine the commission imposed on SK Telecom last year.

The commission also confirmed violations by Coupang logistics unit Coupang Fulfillment Services (CFS) of restrictions on collecting and using personal data and processing sensitive data, and imposed fines totaling 248 million won.

The commission said it received a report from Coupang on Nov. 20, 2025, and began a data leak investigation the next day.

The commission said it formed an intensive investigation task force with the Korea Internet & Security Agency, citing factors including that Coupang’s service is a platform that functions as daily-life infrastructure used routinely by most of the public and that a personal data leak or infringement would have a large impact. It said it focused on confirming relevant facts and whether personal data protection laws were violated. It also stressed it conducted the investigation under a principle of imposing penalties commensurate with responsibility based only on law and principle, without regard to whether a company was domestic or foreign.

Based on the investigation results, the commission concluded that Coupang leaked personal data of about 37.5 million people due to insufficient basic security management, including lax management of authentication signing keys and access controls.

It also additionally confirmed violations of obligations to notify of leaks and to destroy data, violations of ensuring the independence of the chief privacy officer, and obstruction of the investigation. The commission said it issued corrective orders, including strengthening safety measures to prevent recurrence of similar incidents, carrying out leak notifications to data subjects who are not members, and ensuring the CPO’s substantive role. It also recommended improvements related to the system for handling withdrawn members’ personal data, and said it plans to confirm implementation and measures taken within 3 months.

The commission also confirmed that Coupang collected without authorisation online activity records of about 11.17 million members who accessed other companies’ websites and apps, and stored them in a database in a way that identified individual users.

It also confirmed that Coupang failed to properly manage and supervise advertising partners that posted fraudulent advertising, allowing records of Coupang service use to be collected against users’ wishes.

The commission issued corrective orders including improving transparency in personal data processing, ensuring data subjects have a substantive right to choose regarding targeted advertising, and strengthening management and supervision to prevent fraudulent advertising.

It judged that collecting and managing a list of 71 members of the National Police Agency press corps who had no work history at logistics centres, by registering them on an employment restriction list, violated rules on the collection and use of personal data. It also explained that submitting workers’ weight information, held and managed for the purpose of "employee health management", to a court during litigation related to industrial accidents violated rules on processing sensitive data.