South Korea’s primary data protection authority has concluded its extensive investigation into the significant data leak at e-commerce behemoth Coupang. A final decision regarding the penalties and corrective measures is anticipated as early as next month, sources revealed on Tuesday.
The Personal Information Protection Commission (PIPC) recently finalized its probe into the data breach, which impacted over 33 million Coupang customers. The findings of this critical investigation were communicated to the company early last month, according to insights from security industry sources.
Reports indicate that the notification detailed Coupang’s alleged violations of the personal information protection law, alongside potential corrective actions the PIPC might impose. However, the document did not specify any concrete penalty amounts at that stage, sources confirmed.
In line with its established regulations, the PIPC is mandated to inform alleged violators of the data protection law about proposed punitive measures. This process includes providing them a minimum 14-day window to submit their responses and opinions.
Coupang, in its formal response, reportedly challenged the overarching direction of the watchdog’s prospective enforcement actions and measures.
Industry experts predict that a definitive penalty decision is highly probable by next month, with the PIPC reportedly aiming to finalize and close the case within the first half of the current year.
Under the robust data protection law in South Korea, companies found responsible for personal information leaks can face substantial fines. These penalties can amount to as much as 3 percent of their average annual sales over the preceding three years, though revenues from business operations unrelated to the violation may be excluded.
Considering Coupang Inc., the US-listed parent company, reported sales of approximately 49 trillion won ($32.2 billion) in 2025, the regulator could theoretically impose a fine reaching up to an staggering 1.5 trillion won.
To put this into perspective, the PIPC levied a 134.8 billion won fine on SK Telecom Co. last year for a similar data leak, which currently stands as the largest penalty ever imposed by the data protection regulator.
Coupang first disclosed its data breach incident in November, confirming that sensitive personal information belonging to its customers, including names, phone numbers, and delivery addresses, had been exposed.
