Hello, this is attorney Kim Kwang-sik of Cheongchul Law Firm.

On June 11, 2026, the Personal Information Protection Commission (PIPC) resolved to impose a penalty surcharge of KRW 624.68 billion and an administrative fine of KRW 16.8 million on Coupang, in a case where the personal information of approximately 37.55 million people was leaked and the online activity records of 11.17 million people were collected without consent. This far exceeds the previous record—the KRW 134.8 billion surcharge in the SK Telecom USIM data leak case—making it the largest ever.

This disposition is not simply a matter of “being held liable for being hacked.” The PIPC found that this incident stemmed not from a sophisticated hack but from deficiencies in Coupang's basic security management system and lax oversight. Separately from the leak, it also sanctioned the unlawful collection of third-party online activity records without legal basis, lax supervision of “hijacking ads,” and unlawful processing of personal information by an affiliate. In other words, this is a case where two axes—breach of security obligations under the Personal Information Protection Act (PIPA) and infringement of the data subject's right to self-determination—were at issue simultaneously.

Today, from a privacy lawyer's perspective, I will examine the reasons and grounds for this disposition, the structure of the surcharge calculation, and the upcoming collective dispute resolution process.

[Question]

On what grounds did the PIPC impose the largest-ever surcharge on Coupang, and what should companies and data subjects take away from this disposition?

[Answer]

1. The core of this incident was not a “sophisticated hack” but a “breach of basic security obligations”

The PIPC's investigation confirmed that the leak resulted not from a sophisticated external intrusion but from Coupang's internal failure to manage authentication keys and lax access control. The perpetrator was a former employee who had previously developed Coupang's alternative authentication in-house; using a signing key obtained during employment, he generated forged authentication tokens and, from April to November 2025, accessed member information edit pages, delivery address management pages, and order list pages to leak personal information.

The PIPC found two key circumstances constituting a breach of the security obligation (PIPA Article 29). First, Coupang operated a key management system that allowed the authentication signing key to be viewed in plaintext even when not necessary for work, and failed to promptly renew or discard the signing key even after an employee with access left the company. Second, during the attacker's campaign there was abnormal traffic far exceeding normal levels and numerous illegitimate accesses using authentication tokens of non-existent members, yet Coupang failed to recognize this until customer complaints were received. Its blocking thresholds were inadequate, and no detailed analysis of detected anomalies was conducted.

Ultimately, the PIPC grounded its finding of illegality on the fact that Coupang designed and operated a structure in which “compromising a single key could expose all member accounts” without commensurate management. This made clear that the security obligation requires not the “formal provision of security equipment” but a “control system that actually functions.”

2. Breaches of the notification and destruction obligations, exclusion of the CPO, and obstruction of the investigation were also recognized

Beyond the leak itself, the PIPC identified several additional violations in Coupang's response before and after the incident.

Breach of the notification obligation (Article 34): Coupang recognized an additional leak of approximately 160,000 people through the delivery address management page but only notified them after the statutory 72 hours had passed, and despite repeated urging by the PIPC, failed to notify “non-member data subjects” whose delivery information was included in the leak.

Breach of the destruction obligation (Article 21): Coupang failed to destroy approximately 2.46 million delivery records and approximately 310,000 account numbers of withdrawn members that, under its internal rules, should have been destroyed immediately or after a set period, and some of these were actually leaked.

Infringement of CPO independence (Article 31): Coupang excluded its Chief Privacy Officer (CPO) from decision-making during its self-investigation and the disclosure of its results, and caused social confusion by releasing unverified findings relying solely on the hacker's statements. The PIPC viewed this as hollowing out the CPO system.

Obstruction of the investigation (Article 63): Despite a data preservation order, Coupang manually deleted about five months' worth of web access logs and did not suspend its automatic log deletion policy, making it difficult to confirm the timing and scale of the leak. For this part, a criminal complaint was also resolved.

The fact that the “leak itself” and the “post-leak response” are evaluated as separate breaches is highly significant in practice. The notification, destruction, internal governance, and evidence preservation processes after an incident all become subject to independent legal liability.

3. Separately from the leak, an infringement of “collecting personal information without legal basis” was recognized

A notable part of this disposition is the infringement investigation conducted independently of the leak incident. The PIPC confirmed that, in operating its “Coupang Partners” affiliate marketing, Coupang collected “third-party online activity records”—visit logs (URLs and app names), access dates and times, and access IPs—without consent when users accessed third-party web and app sites carrying Coupang ads, and stored them in its advertising database. The scale reached approximately 11.17 million people.

Coupang argued that “a URL or app name alone cannot identify a specific individual, so it is not personal information,” but the PIPC found that such records, combined and stored together with member numbers and device identifiers, themselves constitute personal information capable of identifying individuals. Treating this as collecting and using personal information without a lawful basis such as consent, the PIPC imposed a surcharge of KRW 201.06 billion for violation of PIPA Article 15(1).

In addition, regarding the fact that some advertising partners posted so-called “hijacking ads” that forcibly redirected users to Coupang even without clicking the ad—thereby collecting activity records against users' intent—the PIPC found that Coupang was lax in management and supervision and issued a corrective order for violation of the personal information protection principles (Article 3(1)). This is in the same vein as the approximately KRW 100 billion surcharge against Google and Meta in 2022, showing that the regulatory trend on behavior-based targeted advertising continues.

4. Why is the surcharge KRW 624.6 billion — the calculation structure and aggravating/mitigating factors

Under the current PIPA, the surcharge for breach of the security obligation is calculated based on “revenue excluding revenue unrelated to the violation, within a limit not exceeding 3% of total revenue.” The PIPC used the revenue of the Coupang e-commerce service where the incident occurred as the basis, and excluded independent revenue such as Coupang Eats and Coupang Play.

The total surcharge of KRW 624.68 billion is broadly divided into three parts. KRW 423.575 billion was imposed for violations including security measures related to the leak, KRW 201.06 billion for the unlawful collection of third-party online activity records, and KRW 248 million on the affiliate Coupang Fulfillment Services (CFS). Added to this was an administrative fine of KRW 16.8 million for breaches of the notification and destruction obligations.

In assessing aggravating and mitigating factors, the PIPC considered as factors of severity that a large-scale personal information controller with annual revenue exceeding approximately KRW 30 trillion neglected its authentication system and key management, leading to a massive leak; that it failed to detect numerous anomalies for over six months; and that there was obstruction of the investigation. On the other hand, for the infringement part, mitigating factors included that the collected information was not used to train targeted advertising algorithms and that Coupang continued personal information protection efforts such as obtaining and maintaining ISMS-P certification.

For reference, the amended PIPA that passed the National Assembly in February 2026 raised the surcharge ceiling from 3% to 10% of total revenue for repeated violations by intent or gross negligence or for large-scale damage affecting 10 million or more people. However, in consideration of legal stability, it was decided not to apply this retroactively to incidents occurring before enforcement, so the previous 3% standard applied to this Coupang case. Given that the surcharge could have been far larger had the amended law applied, this disposition is regarded as a turning point toward stronger sanctions going forward.

5. Remedies for data subjects — resumption of the collective dispute resolution process and additional participation

In connection with this disposition, the remedy process for data subjects has also begun in earnest. The Personal Information Dispute Mediation Committee merged two collective dispute mediation applications filed against Coupang into a single case and, on June 12, 2026—the day after the disposition—resumed the mediation process that had been suspended.

Accordingly, for 15 days from June 12 to June 26, additional applicants are being recruited to participate in the collective dispute mediation process. Users who were notified by Coupang of a personal information leak on or after November 29, 2025 may participate by completing the application form posted on the Committee's website (www.kopico.go.kr) and submitting it by email or mail.

However, participation is restricted where compensation has already been agreed with Coupang, where proceedings on the same matter are pending or concluded before another dispute resolution body, or where a civil lawsuit has already been filed for the same infringement. The Committee will prepare and notify a mediation proposal within 60 days of the application deadline, and if either party rejects it, the mediation fails. Even if mediation fails, data subjects may claim damages through a separate civil lawsuit.

This Coupang case reaffirms that, for platform companies handling large volumes of personal information, the security obligation is itself a core legal responsibility. The PIPC made clear the principle that “the same standards and strict legal responsibility must apply regardless of whether a company is domestic or foreign,” and made the entire process—not only the leak but also collection of data without consent, the post-incident response, and internal governance—subject to sanction.

For companies, it has become more important than ever to substantively review authentication and access control systems, to overhaul retention and destruction policies, to secure the legality of consent procedures for targeted advertising and behavioral data collection, and to design notification, reporting, and evidence preservation procedures in advance for when an incident occurs. For data subjects, it is necessary to check whether they received a leak notification and the possibility of secondary harm, and to timely review remedies such as collective dispute mediation or damages claims.

Cheongchul Law Firm provides legal advice on the full scope of the Personal Information Protection Act—from corporate regulatory response and the overhaul of internal control systems to data subjects' participation in collective dispute mediation and responses to damages claims—in connection with personal information leak and infringement incidents. If you have received a personal information leak notification or need to respond to regulation or disputes, we recommend systematically organizing the facts and evidence from the early stage to design your direction of response.