South Korea imposes record $400 million fine on US-headquartered Coupang over data breach

South Korean authorities have levied a record-breaking fine of 624 billion won, exceeding $400 million, against retail giant Coupang following a significant data breach. The Seoul Personal Information Protection Commission issued the maximum penalty on Thursday, concluding an investigation into an incident discovered in December 2025 that compromised the personal information of more than 34 million customers.

Coupang, which is headquartered in the United States but operates primarily in South Korea where it is often described as the “Amazon of Asia,” stated that the breach involved a former employee accessing sensitive data. According to the company, the individual obtained names, email addresses, shipping addresses, phone numbers, and order histories. Coupang told BBC News that the incident affected approximately two-thirds of South Korea’s population.

The penalty represents a notable exception in cross-border regulatory enforcement, as US companies rarely face financial sanctions or criminal prosecution for data breaches due to a lack of specific laws and enforcement powers in the US jurisdiction. This case highlights the increasing scrutiny South Korean regulators are applying to data protection standards, regardless of a company’s domicile.

In response to the ruling, Coupang announced its intention to challenge the regulator’s decision. The company’s legal team is expected to contest the severity of the penalty and the findings regarding the scope of the data exposure.

The enforcement action has also drawn political attention. Korean lawmakers have accused some US representatives of attempting to link the case to broader US-South Korean bilateral ties. These allegations suggest that political pressure may have been applied in response to the case against Coupang’s executives, although such claims remain unverified assertions by lawmakers.