South Korea has levied a record 625 billion won, equivalent to US$409.3 million, against e-commerce firm Coupang. This penalty stems from a massive customer data breach affecting over 33 million individuals and the unlawful collection of personal information. The fine represents the largest ever imposed in South Korea for a data protection violation.
The Personal Information Protection Commission found Coupang failed to report the breach within the mandatory 72-hour window. Inadequate security measures, rather than a complex cyberattack, led to the incident. An investigation revealed a former employee stole a security key, granting unauthorised access. Troublingly, Coupang’s systems continued to provide data access even after the employee's departure. Furthermore, the company illegally gathered online activity data from approximately 11 million customers via a marketing programme without securing proper consent.
This substantial fine, equating to about 1.4% of Coupang’s 2025 revenue of 45 trillion won, serves as a significant warning. For beauty and salon businesses in the UK, this case highlights the increasing regulatory risk associated with handling customer data. While the breach involved an e-commerce giant, the principles of data security, consent, and timely reporting apply universally. The incident suggests that even basic security protocols, like revoking access credentials, can be critical failure points. Businesses must ensure their data governance practices are not just compliant but demonstrably effective in protecting sensitive client information.
