The **PIPC**'s investigation revealed that the personal information of approximately 37.55 million individuals was compromised due to inadequate security practices. These deficiencies included negligent authentication key management and insufficient access controls. **Coupang Fulfillment Service**, a subsidiary, also faced a fine of 248 million won for the unlawful collection, use, and handling of sensitive customer data. Beyond security shortcomings, the **PIPC** cited **Coupang** for violations related to data destruction and leak notification requirements. The regulator also found evidence of interference with the independence of **Coupang**'s data protection officer and obstruction of the ongoing investigation. "Personal information of approximately 37.55 million people leaked due to insufficient basic safety management system, including negligence in authentication signature key management and access control," the **PIPC** stated. "Regarding **Coupang**'s violation of safety measure obligations and collection of personal information without legal basis, a fine of 624.681 billion won and a fine of 16.8 million won were imposed, as well as corrective orders, announcements, and publication orders." **Coupang**, an American online retail company with significant operations in South Korea, employs 95,000 people and boasts annual revenues exceeding $30 billion. ### Compensation Efforts Underway In late December, **Coupang** announced plans to allocate 1.685 trillion won (approximately $1.17 billion) for customer compensation. This initiative will see the distribution of single-use purchase vouchers, each valued at 50,000 won (about $34), to over 33 million affected customers starting in January 2026. ### Breach Discovery and Suspect Details This incident, one of the most significant data breaches in South Korea's history, occurred in late June but remained undetected until mid-November. It was then that **Coupang** disclosed that 33.7 million accounts had been compromised. South Korean authorities, who took over the investigation, identified a 43-year-old Chinese national as the primary suspect. This individual, a former employee of **Coupang**'s IT department between 2022 and 2024, is believed to be responsible for the breach. **Coupang** later reported that the former employee returned multiple hard drives containing sensitive data. The suspect also attempted to destroy evidence by disposing of a **MacBook Air** laptop in a river, though the device was subsequently recovered. The company added that while the suspect accessed millions of accounts, they reportedly retained user data for approximately 3,000 accounts, which has since been deleted from all devices and not transferred to others. ### Broader Landscape of Korean Cybersecurity Incidents This incident follows another significant security event in South Korea. In April, **SK Telecom**, the nation's largest mobile network operator, warned customers that sensitive **USIM** data had been exposed due to a malware attack on its network. The company later disclosed that the malware had been present on its systems since June 2022, ultimately impacting 27 million subscribers—nearly its entire customer base.