The **PIPC** announced its decision following a plenary session, concluding that the breach was not the result of sophisticated external hacking but rather "deficiencies in basic safety management" at **Coupang** and its logistics subsidiary, **Coupang Fulfillment Services**. This record-setting fine eclipses the previous high of 134.8 billion won ($88.8 million) levied against **SK Telecom** earlier this year, underscoring the severity of **Coupang**'s privacy failures. ### Anatomy of a Breach The breach, which first came to light in November, initially impacted approximately 33.7 million customer accounts. The **PIPC**'s investigation confirmed 33,222,472 registered members were affected. Crucially, it also identified at least 4,338,368 non-members whose data (names, phone numbers, addresses) was stored as delivery recipients without their knowledge or consent. **Coupang** failed to notify these non-member victims despite four formal urges from the regulator in December 2025 and January 2026. ### Inside Job and Data Exfiltration The perpetrator was identified as an unnamed Chinese national, a former employee who departed **Coupang** at the end of 2024. While still employed, he developed **Coupang**'s alternative authentication system and stole the underlying signing key before his departure. His attack commenced in January 2025 with a test run on 95 accounts. From April, he systematically harvested data, accessing **Coupang**'s delivery address page approximately 148 million times over two months to collect names, phone numbers, and addresses. This was followed by nearly 35 million accesses to the account edit page between June and October to gather names and email addresses. A final phase targeted apartment entry codes and order histories. The former employee later reassembled the stolen data into individual customer profiles and sent extortion emails directly to members and **Coupang**, claiming to possess 120 million addresses, 560 million order records, and over 33 million email addresses, complete with sensitive purchase histories as sample data. ### Missed Warnings and Evidence Tampering Despite the seven-month attack generating significant traffic spikes and millions of access attempts using non-existent member IDs, **Coupang** remained oblivious until a customer forwarded an extortion email. Even more concerning, the **PIPC** has referred **Coupang** for criminal prosecution for evidence destruction. Regulators ordered the preservation of access logs on November 21, the day after **Coupang**'s initial breach report. However, six days later, the company manually deleted approximately six months of web access logs. Furthermore, **Coupang** failed to pause its routine policy of automatically deleting logs after six months, resulting in the loss of roughly 13% of logs covering the attack period, hindering the identification of all affected victims. In a dramatic turn, police separately recovered a smashed **MacBook Air** weighted with bricks from a river – an apparent attempt by the alleged perpetrator to destroy evidence. Forensic teams from **Mandiant**, **Palo Alto Networks**, and **Ernst & Young** successfully documented its contents before handing it over to authorities. ### Additional Violations Uncovered An expanded investigation in January 2026, prompted by parliamentary hearings and media coverage, unearthed several other significant violations: * **Covert Browsing Data Collection:** Through its “Coupang Partners” affiliate marketing program, the company covertly collected third-party browsing activity (URLs, app names, timestamps, IP addresses, device identifiers) from approximately 11.2 million users without consent, linking this data to individual member accounts. **Coupang** argued this was not personal data, but the regulator disagreed, imposing a further 201.1 billion won ($132 million) fine for this violation. The records were deleted in April 2026 after investigators confronted the company. * **"Hijack Ads":** Some advertising partners in the same program ran “hijack ads,” redirecting users to **Coupang** without consent, sometimes by overlaying transparent buttons. **Coupang** was aware of this since 2022 but failed to terminate offending accounts and, in some cases, paid higher commissions to partners caught engaging in the practice. * **Journalist Blacklist:** **Coupang Fulfillment Services** secretly added 71 police press-corps journalists to an internal employment blacklist, citing “spreading false information,” despite none having worked at a **Coupang** warehouse. This was done without their knowledge or consent. * **Misuse of Health Data:** The logistics subsidiary also submitted employees' weight data, collected for health management, as evidence in an industrial accident lawsuit without a separate legal basis. * **Compromised CPO Independence:** During its internal investigation of the hacker in December 2025, **Coupang** excluded its Chief Privacy Officer (CPO) entirely. Regulators deemed this a substantive violation of the CPO's legally mandated independence. **Coupang**'s Acting CEO, **Harold Rogers**, who was questioned by police in January as a suspect in an obstruction inquiry, pledged full cooperation. However, the company has expressed regret over the **PIPC**'s decision and reserves the right to challenge it legally. Dispute mediation proceedings involving over 2,500 claimants are set to resume, and a class-action lawsuit in the United States remains pending. **Coupang**'s shares have fallen approximately 35% since the start of the year, and the company faces ongoing scrutiny from South Korean lawmakers.