The South Korean Personal Information Protection Commission (PIPC) issued substantial administrative sanctions against Coupang and Coupang Fulfillment Services (CFS) for severe breaches of the Personal Information Protection Act (PIPA). This action, including a penalty of KRW 624.681 billion for Coupang, resulted from a data breach affecting over 33 million users and 4.33 million third parties, caused by inadequate security management, delayed notifications, and undermining the Chief Privacy Officer's role. The PIPC also found failures in data destruction and evidence preservation. This indicates an active enforcement posture by the PIPC.
Effective date
2026-06-10
Action required
Companies operating in South Korea, particularly those handling large volumes of personal data, must immediately review and enhance their data security practices, incident response protocols, and CPO authority to ensure compliance with PIPA and prevent similar severe penalties.
Binding status
binding
Governing body
Personal Information Protection Commission
Direction
restrictive
Innovation impact
constraining
Enforcement details
Case name
The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy
Agency
Personal Information Protection Commission (PIPC)
Penalty
KRW 624,681,000,000
Compliance requirements
Required disclosures
- Data breach notification to PIPC and competent authorities within 72 hours
- Notification to affected data subjects
Prohibited practices
- Failure to securely manage authentication methods (e.g., signing keys)
- Insufficient access control to prevent illegal access
- Delayed data breach notification
- Undermining the independent work of a CPO
- Failure to destruct personal information after withdrawal
- Failure to preserve evidence (e.g., access logs)
Transparency requirements
- Disclosure of investigation results (when conducted by CPO)
Affected industries
Affected roles
Cross-references
Cites laws
Personal Information Protection Act (PIPA)
"The PIPC found that the data breach was caused by inadequate management of baseline personal data protection, not by sophisticated hacking techniques."
Enriched 2026-06-25
Stay informed
Get daily intelligence briefs on this and related regulatory developments.