South Korean regulators on Thursday issued a 624.7 billion won penalty - equivalent to $409 million - against Coupang LLC following a major data breach that revealed the details of more than 33 million users, officials said.
The fine was assessed by the Personal Information Protection Commission and is the largest privacy-related monetary sanction ever imposed in South Korea.
The breach occurred late last year and triggered a government-led inquiry. That probe concluded that the incident was primarily the result of management failures rather than a sophisticated external cyberattack, according to the official account of the investigation.
The scope of the leak, which exposed data for over 33 million users, prompted public criticism and drew scrutiny from lawmakers. In addition to regulatory action, the episode has had a clear market repercussion: Coupang, which is listed on U.S. exchanges, has seen its shares decline by about 35% so far in 2026.
Market commentary and investor reaction have focused on the scale of both the penalty and the user data involved. The Personal Information Protection Commission's decision to levy a record fine underscores the regulatory weight being placed on corporate data stewardship.
For the company, the action represents a material regulatory sanction tied directly to the breach and to the findings of the government-led probe. The combination of a historic penalty and widespread disclosure of user information has led to heightened public and political attention.
At this stage, authorities have framed the root cause as management shortcomings. Beyond that characterization, the public record provided alongside the sanction does not attribute the incident to a more complex or externally orchestrated cyberattack.
Investors and observers will be watching how the company responds to the penalty and how it addresses questions around data protection and corporate oversight. The immediate market effect has been substantial, as reflected in the decline of the firm’s share price so far this year.
Context note - The information above is drawn from the regulatory action and the public account of the investigation. Details beyond what authorities have stated about the breach and the findings are not provided here.