| Title | The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy | ||
|---|---|---|---|
| Department | Date | 2026.06.17 | |
| Attachment | press release The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy.pdf | ||
| Page URL | https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=3071 | ||
| Contents |
Press Release The PIPC Sanctions Coupang and CFS for Data Breaches and Infringements on Privacy
June 11, 2026 (This is an unofficial translation of a press release, originally prepared in Korean.)
The Personal Information Protection Commission (PIPC) held its 11th plenary meeting of 2026 and resolved to sanction Coupang Inc. (Coupang) and Coupang Fulfillment Services (CFS) for their failures to comply with the Personal Information Protection Act (PIPA) on June 10, 2026. Administrative sanctions are as follows:
● Coupang: A penalty for violations (Gwajinggeum) of KRW 624.681 billion A fine for wrongdoing (Gwataeryo) of KRW 16.8 million Correction and publication orders ● CFS: A penalty for violations (Gwajinggeum) of KRW 248 million
Background
The PIPC initiated investigations after Coupang reported its data breach affecting more than 33 million users on November 20, 2025. As privacy concerns grew from the hearing sessions at the National Assembly, media reports, and other ministries and agencies regarding so-called kidnapping advertisements and employment restriction lists associated with Coupang and CFS, the PIPC began conducting additional investigations on January 7, 2026.
The PIPC teamed up with the Korea Internet & Security Agency (KISA) on November 30, 2025, to launch a task force to examine Coupang’s data processing practices and legal compliance based on a principle-based approach under the PIPA and applicable laws.
Findings of the Data Breach
The PIPC found that the data breach was caused by inadequate management of baseline personal data protection, not by sophisticated hacking techniques. A hacker was a former employee who accessed authentication signing keys during employment. On January 25, the hacker forged backup authentication tokens and attempted hacking tests targeting Coupang’s Edit My Information Page and Delivery Address List Page. Using forged authentication tokens, the hacker accessed Coupang’s internal system from April to November 2025, as follows:
● Accessed the Delivery Address List Page ● Accessed Edit My Information Page ● Accessed Order History Page
The Scale of Data Breach The leaked data includes:
● About 33.22 million Coupang users ● Names, email addresses, shipping information, etc.
Shipping information includes personal information about users and third parties, such as users' family members and acquaintances. The leaked shipping information of about 4.33 million third-party data subjects includes:
● Names, telephone numbers, and addresses ● Order information, building access passwords, etc.
Major Violations
The PIPC’s investigations found that Coupang’s data breach was caused by its failure to implement baseline safeguards and poor security management, not by sophisticated hacking techniques. Coupang’s major violations are as follows:
Failures to Securely Manage Authentication Methods Coupang’s token-based authentication mechanism relies solely on e-signatures. Such insufficient protection of signing keys may allow unauthorized access to entire user accounts if the keys are not managed securely, thereby requiring strict operational and management controls.
However, Coupang was complacent in managing access authorization, allowing access to signing keys in plaintext even when a backup signing key was not necessary. It also failed to immediately renew or destruct signing keys after the hacker left the company.
Insufficient Access Control to Prevent Illegal Access and Infringements During the hacker’s attack from April to November 2025, traffic anomalies were generated on webpages containing personal information.
However, Coupang also failed to set thresholds to block webpages containing personal information and did not conduct separate analyses of detected anomalies, missing an opportunity to prevent a data breach in advance.
Delayed Data Breach Notification Coupang became aware of the data leak affecting about 160,000 users through its Delivery Address List Page on January 30, 2026, but failed to notify the PIPC or other competent authorities within 72 hours required under the PIPA. The leaked data also includes non-members’ personal information. The PIPC urged Coupang to repeatedly inform the affected data subjects of the incident, but it failed to do so. The affected data subjects missed out on an opportunity to prevent secondary damage.
Undermining the Independent Work of a CPO Coupang conducted an internal investigation from December 8 to 18, 2025, and disclosed the results on its website on December 25, 2025. However, Coupang’s Chief Privacy Officer (CPO) was excluded from the investigation and information disclosure process. Accordingly, the investigation results relied solely on the hackers’ statements. The PIPC deemed such practices to undermine the independence and roles of CPOs, which are core elements of the privacy protection framework.
Failures to Destruct Personal Information Coupang’s privacy policy states that user information should be destructed within 90 days from the withdrawal date, and shipping addresses and account numbers should be immediately destructed on the withdrawal date. The detailed violations are as follows:
● Failures to destruct 2,465,592 cases of shipping information of users who withdrew membership ● Failures to destruct 318,499 cases of account numbers of users who withdrew membership ● Failures to destruct 718,685 cases of personal information of users who withdrew membership stored in the separate DB within 90 days
Failures to Preserve Evidence The PIPC issued an order to preserve access logs and other evidence related to the data breach, but Coupang manually deleted web access logs from July to November 2024, impeding fact-finding into the data breach's initial timing. It also failed to put a hold on its automated log removal policy on a six-month cycle, making it difficult for the PIPC to identify the exact scale of the data leak and its implications.
Sanctions The PIPC resolved to impose a penalty for violations of KRW 423.575 billion on Coupang for its failures to implement sufficient safeguards, and impose a fine for wrongdoing of KRW 16.8 million for violating obligations to notify the data breach and destruct personal information.
Moreover, the PIPC issued correction orders to strengthen safeguards, including key management and access-control overhauls, data-breach notifications to non members, and internal data-privacy governance overhauls.
The PIPC also issues recommendations on storing and managing personal information to meet minimum requirements, and on updating and disclosing Coupang’s privacy policy to align with its data processing practices in practice.
The aforementioned administrative sanctions should be published on the company’s website, and such sanction results will also be posted on the PIPC’s website.
Privacy Infringements on Data Subjects
Unlawful Collection of Online Behavioral Data of Users from External Websites and Applications Coupang has been operating so-called Coupang Partners, a marketing program that enables individuals or corporations to promote its products on their online channels using a range of tools. When a purchase is made, Coupang partners will receive revenue (3% of the purchase) from Coupang.
When Coupang users visit other platforms (websites or applications) that publish Coupang ads, Coupang publishes targeted advertisements based on users’ interests or tastes after confirming whether they have given consent to marketing. During this process, Coupang unlawfully collected online behavioral data of about 11.17 million users and around 15.645 million webpages access logs, such as:
● Visited URLs ● Web use records ● Access time and date ● IP addresses ● Device identifiers
The PIPC deemed such data to be personal information when combined with membership numbers and device identifiers. When online behavioral data accumulates over time, it may increase the risk of profiling and inference of sensitive data, potentially infringing on data subjects’ rights. However, Coupang failed to obtain user consent or notify users of the collection of such data.
Sanctions The PIPC resolved to impose a penalty for violations of KRW 201.106 billion on Coupang for unlawfully collecting users’ online behavioral data on other platforms, in violation of Article 15-1 of the PIPA.
The PIPC also issued correction orders on Coupang to: ● Clearly notify users of targeted advertising by processing identifiable information from external websites and applications ● Make it easy to withdraw consent for the collection and use of personal information for marketing purposes ● Overhaul internal data processing practices and conduct internal reviews to ensure compliance with the PIPA
At the same time, the aforementioned sanction results should be published on Coupang’s website.
Coupang operated the Coupang Partners program, but its partners posted so-called kidnapping advertisements that redirected to Coupang’s website or application. Coupang said they became aware of such advertisements in August 2022 and operates the report and detection system.
However, the PIPC found that the oversight of such advertisements was not properly done. Such practices violate Article 3-1 of the PIPA (purpose limitation and the legitimacy of data collection). The PIPC issued correction orders to Coupang, requiring it to impose strict penalties and oversee advertising partners that post unauthorized advertisements.
Violations by Coupang Fulfillment Services (CFS)
Collection of Personal Information without a Lawful Basis CFS is Coupang’s logistics subsidiary, and it has been collecting employees' personal information since 2017. CFS included 71 members of the press corps to the National Police Agency in an employment restriction list for spreading misinformation despite no employment history at the CFS logistics center from September 2023 to February 2024. However, it was not based on consent or a lawful basis. The PIPC imposed a penalty for violations of KRW 220 million for violating Article 15-1 of the PIPA (the collection and use of personal information).
Unlawful Processing of Health Information CFS has collected health check-up data from employees who gave consent to the use of their data for health management purposes. However, the PIPC found that CFS used the weight information of 80 employees in court submissions in March 2024. The PIPC found that such data submissions during legal proceedings constitute sensitive data processing without separate consent from data subjects or a lawful basis. The PIPC imposed a penalty for violations of KRW 28 million for violations of Article 23-1 of the PIPA (the restriction on sensitive data processing).
Key Takeaways Prior to the plenary meeting, PIPC commissioners held several meetings to conduct dedicated discussions and gather feedback on investigation results and administrative sanctions.
The PIPC started its 11th plenary meeting at 10:00 a.m. on June 10, 2026, to allow sufficient time for Coupang and CFS to present their views and for Q&A. The Commission finalized its resolution on Coupang around 23:30 p.m.
Taking this opportunity, the PIPC sets another example by applying the same approaches to domestic and foreign business operators that process the personal information of Korean data subjects.
At the same time, the PIPC clarifies that platform business operators that process large-scale personal information should be held accountable for insufficient privacy safeguards and infringements of the right to self-determination.
Chairperson Kyung Hee Song said, “The PIPC hopes that sanctions imposed on Coupang can serve as an opportunity for online platform business operators closely related to everyday life to make further investments in data protection and security and take stronger internal control measures. We will do our utmost to establish an environment that enables the secure use and protection of data across various platforms.”
* A PDF file, formatted for better readability, is attached.
|
||