Privacy watchdog wraps up probe into Coupang data leak, to decide penalty as early as June

▲ A Coupang vehicle is parked at a company facility in Seoul, in this file photo taken Feb. 10, 2026. (Yonhap)

Coupang-data leak probe

Privacy watchdog wraps up probe into Coupang data leak, to decide penalty as early as June

SEOUL, May 12 (Yonhap) -- South Korea's data protection watchdog has concluded its probe into a massive data leak at e-commerce giant Coupang, with its final decision on the level of punishment expected to be made next month at the earliest, sources said Tuesday.

The Personal Information Protection Commission (PIPC) recently concluded its investigation into the data breach that affected over 33 million Coupang customers and notified its results to the company early last month, according to the security industry sources.

The notification reportedly included Coupang's suspected violations of the personal information protection law, along with potential corrective measures the agency may take. It, however, did not include any specific amount of penalties, according to the sources.

Under its regulations, the PIPC must notify its punitive measures to alleged violators of the data protection law and give them an opportunity to submit their opinions for a period of a minimum of 14 days.

In its opinion, Coupang reportedly pushed back against the overall direction of the watchdog's potential measures.

Industry sources believe a finalized penalty decision will likely be made as early as next month, with the PIPC said to be aiming to close the case within the first half of the year.

Under the data protection law, companies that suffer personal information leaks can be fined up to 3 percent of their average annual sales in the past three years, although sales from businesses unrelated to the violation can be excluded.

Based on the 2025 sales of Coupang's U.S.-listed parent company, Coupang Inc., at about 49 trillion won (US$32.2 billion), the regulator could theoretically levy a fine as high as around 1.5 trillion won.

Last year, the PIPC fined SK Telecom Co. 134.8 billion won over a data leak, which marked the largest penalty imposed by the regulator.

Coupang reported its data breach in November, in which personal information of its customers, including names, phone numbers and delivery details, was exposed.

A joint public-private probe into the breach confirmed in February that over 33.6 million accounts had been exposed.

(END)