The Coupang data breach fine has set a new benchmark in South Korea, as regulators imposed the largest penalty ever levied on a single company over a hack that exposed the personal information of nearly two-thirds of the nation’s population. The decision also threatens to deepen a brewing diplomatic dispute with the United States over how foreign governments regulate American tech firms.

A Record-Breaking Penalty

On Thursday, South Korea’s Personal Information Protection Commission fined Coupang 624.6 billion won, or about $409 million, concluding that the country’s largest online retailer had been lax in its cybersecurity controls.

The commission’s head, Song Kyung-hee, was direct in her assessment, telling reporters that the company had neglected to implement adequate measures to detect and respond to unauthorized external access. Notably, while Coupang generates most of its revenue in South Korea, it is registered in Delaware, a detail that has added a cross-border dimension to the case.

A Breach of Staggering Scale

The fine followed months of investigation into the company, widely known as “South Korea’s Amazon,” after a hack exposed the personal data of nearly two-thirds of the country’s 51 million residents.

Some lawmakers had pushed for an even harsher punishment. Given that Coupang reported 41 trillion won in sales in 2024, South Korean legislators had called for penalties as high as 1.2 trillion won.

Even at $409 million, the fine dwarfs previous penalties for data leaks in the country. By comparison, SK Telecom, South Korea’s largest mobile carrier, was fined $97 million last year after the information of 25 million customers was exposed. The Coupang penalty stands far above that figure, underscoring the severity with which regulators viewed the breach.

A Retail Giant Under Scrutiny

Coupang’s prominence makes the case especially significant. Founded in 2010 by Korean-American Harvard graduate Bom Kim, the company rose to become the country’s largest e-commerce group on the strength of its “rocket delivery” service.

Backed by Japan’s SoftBank, Coupang now boasts 25 million active members across services spanning food delivery, streaming, and more. It ranks as South Korea’s largest private-sector employer after Samsung, a position that amplifies the impact of any regulatory action against it.

From Corporate Scandal to Diplomatic Flashpoint

What started as a corporate data scandal has since taken on international dimensions. A group of Coupang investors petitioned Washington under Section 301 of the Trade Act, a provision that allows the U.S. government to investigate and retaliate against foreign trade practices it deems unfair. The investors later withdrew that petition.

The episode highlights the growing risks governments face when regulating American companies, particularly as Washington increasingly frames foreign regulatory actions as non-tariff trade barriers. For South Korea, the challenge is to enforce its data protection laws without appearing to unfairly target U.S. firms.

South Korean officials have sought to reassure their American counterparts, stating that they remain committed to ensuring U.S. companies are not discriminated against and do not face unnecessary barriers under the laws governing digital services.

A Delicate Balancing Act

The case lays bare the tension between protecting citizens’ privacy and managing sensitive trade relationships. On one hand, the breach affected a staggering share of South Korea’s population, creating clear pressure for a forceful regulatory response. On the other, the company’s American registration and the involvement of U.S. trade mechanisms mean any action carries geopolitical weight.

Coupang did not immediately respond to a request for comment on the fine.

What Comes Next

For now, the record penalty stands as both a warning to companies handling vast amounts of personal data and a potential point of friction between Seoul and Washington. How Coupang responds, and whether the dispute reignites U.S. trade scrutiny, could shape the broader conversation about how nations regulate powerful foreign tech companies operating within their borders.

As data breaches grow in scale and frequency, the Coupang case may well become a reference point for regulators and corporations alike, illustrating both the high cost of inadequate security and the complex diplomacy that can follow when a global company stumbles.