Enforcement action · Personal Information Protection Commission (PIPC)

The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy

The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy is an AI-related enforcement action involving Personal Information Protection Commission (PIPC). Penalty: monetary_fine of $KRW 624,681,000,000. South Korea's PIPC sanctioned Coupang and CFS with significant penalties for multiple violations of the Personal Information Protection Act, including a major data breach affecting 33 million users, insufficient security, delayed notifications, and undermining CPO independence.

Action details

Agency
Personal Information Protection Commission (PIPC)
Jurisdiction
KR
Enforcement type
fine
Document type
enforcement action
Penalty
$KRW 624,681,000,000 monetary_fine
Effective
2026-06-10
Topic
data privacy

Summary

The South Korean Personal Information Protection Commission (PIPC) issued substantial administrative sanctions against Coupang and Coupang Fulfillment Services (CFS) for severe breaches of the Personal Information Protection Act (PIPA). This action, including a penalty of KRW 624.681 billion for Coupang, resulted from a data breach affecting over 33 million users and 4.33 million third parties, caused by inadequate security management, delayed notifications, and undermining the Chief Privacy Officer's role. The PIPC also found failures in data destruction and evidence preservation. This indicates an active enforcement posture by the PIPC.

Primary source

https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=null&nttId=3071 →

Frequently asked questions

What is The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy?
The South Korean Personal Information Protection Commission (PIPC) issued substantial administrative sanctions against Coupang and Coupang Fulfillment Services (CFS) for severe breaches of the Personal Information Protection Act (PIPA). This action, including a penalty of KRW 624.681 billion for Coupang, resulted from a data breach affecting over 33 million users and 4.33 million third parties, caused by inadequate security management, delayed notifications, and undermining the Chief Privacy Officer's role. The PIPC also found failures in data destruction and evidence preservation. This indicates an active enforcement posture by the PIPC. Primary source →
Which agency brought the action?
Personal Information Protection Commission (PIPC) brought this enforcement action in KR. Primary source →
What was the penalty?
The disclosed penalty is a monetary_fine amount of $KRW 624,681,000,000. Primary source →
When did the action take effect?
The action was effective 2026-06-10. Primary source →
Where can I find the primary source?
The primary source for The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy is at https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=null&nttId=3071. AIGI does not paraphrase secondary commentary — every claim on this page links back to that primary source. Primary source →

Stay informed

Get every Personal Information Protection Commission (PIPC) AI enforcement update.

Start 14-day trial →