Up to 3% of Annual Revenue Fine Under the Personal Information Protection Act
Coupang Could Face Fines Exceeding 1 Trillion Won
Comprehensive Investigation Into Access Control, Encryption, and Other Safety Measures
Surpassing Previous Cases
Coupang has experienced the largest personal information leak in South Korea’s history, with 33.7 million customer records compromised. If legal violations are confirmed, the company could face a fine of up to 1 trillion won. The leaked information, which includes address books and personal lifestyle details, surpasses previous major incidents involving companies such as SK Telecom and Interpark.
According to industry sources on December 1, the Personal Information Protection Commission has been investigating Coupang since the previous day to determine whether the company violated safety obligations regarding access control, access rights management, and encryption of personal information.
Previously, on November 29, Coupang announced through a notice that approximately 33.7 million customer accounts had been exposed without authorization. The leaked data includes names, email addresses, delivery address books containing names, phone numbers, and addresses, as well as some order information.
A massive personal information leak incident involving over 30 million cases occurred at Coupang. This scale surpasses the economically active population of 29.69 million and is the worst leak incident in history. Photo by Dongju Yoon, Coupang headquarters on December 1, 2025.
Concerns have been raised that this leak involves not only basic account information but also consumers’ actual residential and delivery addresses, which could be exploited for smishing, phishing, or even in-person crimes.
Up to 3% of total sales... Fines could reach hundreds of billions to 1 trillion won
Under the current Personal Information Protection Act, companies can be fined up to 3% of their total sales for major violations such as large-scale data leaks.
In Coupang’s case, last year’s consolidated sales amounted to 38.2988 trillion won, with the average sales for the past three years at approximately 31.7 trillion won. If a violation of the Personal Information Protection Act is confirmed, the maximum fine could reach about 951 billion won. However, sales unrelated to the violation may be excluded depending on the company’s explanation, which could reduce the total fine.
A massive personal information leak involving over 30 million cases has occurred at Coupang. This scale exceeds the economically active population of 29.69 million, making it the worst leak incident in history. On December 1, following an apology text message from Coupang regarding the personal information leak incident, a Coupang signboard installed at Coupang headquarters is visible. 2025.12.01 Photo by Dongju Yoon
Typically, the amount of the fine is determined by factors such as the level of security measures, the circumstances and illegality of the leak, the implementation of administrative and technical protection measures, and the sincerity of the company’s response after the incident. Nevertheless, given the scale of the leak and the sensitivity of the information, industry experts believe the sanctions could be unprecedented in comparison to previous cases.
A scale unlike any previous personal information leak case
While South Korea has experienced various personal information leaks in the past, the Coupang incident is considered unparalleled when factoring in the scale, types of information leaked, and the method of calculating fines based on sales.
The largest fine ever imposed for a personal information leak was in the SK Telecom case earlier this year. In August, SK Telecom was fined 134.79 billion won after the core telecommunications data of about 23.24 million people was leaked. The seriousness of the case was heightened because not only basic customer information but also 25 types of core telecommunications security data, such as USIM authentication keys and identification information, were compromised. Notably, this was the first major penalty applied after the revision of the 3% fine regulation.
The most similar case to Coupang in terms of the number of records leaked was Interpark in 2016, where a hacker infiltrated the system by stealing a customer service employee’s account, resulting in the leak of about 25.4 million members’ information. However, at that time, the 3% of sales fine standard was not in place, so the fine was limited to about 4.4 billion won.
In 2024, Golfzon suffered a ransomware attack that led to the leak of about 2.21 million records and a fine of around 7.5 billion won. The lack of adequate technical protection measures, such as backup and access control, was cited as a problem. The same year, Kakao experienced a leak of only about 60,000 records, but due to insufficient security measures and poor response, the company was fined 15.1 billion won, which was considered a strong penalty relative to the scale of the leak.
Incidents have also occurred outside the telecommunications and platform sectors. In 2023, LG Uplus had about 300,000 customer identification records leaked and was fined about 6.8 billion won. In addition, the 2017 leaks at YogiYo and Hanatour each involved several hundred thousand records, but the regulatory environment was less strict at the time, resulting in fines of only 300 to 400 million won.
These cases demonstrate that the scope of penalties has varied greatly depending on the sensitivity of the information, the size of the company, and the level of responsibility. However, the Coupang case is considered incomparable to previous incidents, not only due to the unprecedented number of records leaked but also because it involves large-scale lifestyle information based on address books.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
