South Korea is moving decisively to end corporate leniency in data protection after confirming one of the nation’s largest-ever personal information leaks at Coupang. The government’s latest actions mark a structural shift in Korea’s digital governance—where accountability will now rest squarely on CEOs, not compliance teams.

Korea’s Privacy Regulator Confirms Massive Coupang Breach

The Personal Information Protection Commission (PIPC) confirmed that personal data belonging to more than 30 million Coupang users had been exposed, rejecting the company’s claim that only about 3,000 accounts were affected.

Chairperson Song Kyung-hee stated during a press briefing in Seoul that the figure includes both registered members and non-members, such as delivery recipients whose names and contact details were entered by others:

“The confirmed number of affected individuals exceeds 30 million. If non-member information is added, the scale grows even larger.”

The regulator found evidence suggesting Coupang deleted investigation materials, including access logs, while showing limited cooperation. Fourteen veteran investigators—more than were assigned during the SK Telecom hack—have been deployed to the case.

Coupang’s initial disclosure in late 2025 characterized the breach as a “data exposure,” a term that regulators ordered to be corrected to “leak.” The company was also directed to revise its terms that excluded responsibility for illegal access.

Background: Korea’s Data Regulation Enters a New Phase

The Coupang case follows a year of escalating data scandals involving SK Telecom, KT, Netmarble, Kyowon Group, and Lotte Card. Combined, they have prompted the Korean government to overhaul its data governance framework to reflect the realities of AI-driven digital services.

Song emphasized that nationality is irrelevant in enforcement,

“We will investigate based strictly on the law, without considering trade or political variables.”

This statement came after U.S. lawmakers accused Korea of targeting Coupang, which is also listed on the New York Stock Exchange, through “political witch-hunting.” Song dismissed the accusation, clarifying that the investigation is based solely on domestic law and consumer harm.

Stakeholder Statements and Government Stance

Chairperson Song Kyung-hee then declared PIPC’s plans during the press briefing,

“Coupang’s cooperation was insufficient, and there were cases where data was deleted during the investigation. We plan to establish stronger legal authority for forced inspections and data-preservation orders.”

She also confirmed that investigations into other major leaks are near completion and announced new reforms to reinforce Korea’s preventive privacy system.

“Privacy protection must become a prerequisite of corporate management.”

The PIPC also plans to revoke ISMS-P certifications—the government’s data protection standard—from firms that repeatedly violate privacy obligations. Coupang, which obtained certifications in 2021 and 2024, is expected to face review following four separate data incidents.

Corporate Governance Faces a Reset After Coupang Data Breach

The Coupang case has become a watershed moment for Korea’s corporate accountability model. Regulators are shifting from reactive punishment to proactive prevention, positioning privacy protection as a strategic pillar of digital competitiveness.

Under proposed amendments, companies committing severe or repeated violations could face punitive fines of up to 10 percent of annual revenue—a standard aligned with the EU’s GDPR framework. Conversely, firms that proactively invest in compliance and prevention may qualify for reduced penalties.

Song also confirmed that CEOs will be designated as ultimate data custodians under law, with strengthened authority and obligations for Chief Privacy Officers (CPOs).

The reforms extend to the AI era, where personal data serves as the foundation for advanced services. The PIPC chairperson said,

“Safe data management is not about restriction. It’s about enabling innovation with security and trust.”

A New Standard for Digital Accountability

Finally, Korea’s response to the Coupang incident signals beyond just a simple domestic enforcement action—it marks the emergence of a global governance model in which digital accountability defines competitiveness.

As Asia’s most data-intensive economy transitions toward AI-integrated services, the PIPC’s reforms could set a precedent across the region. The message to corporations is clear: privacy is no longer a compliance box—it is a core determinant of corporate integrity and market trust.

– Stay Ahead in Korea’s Startup Scene –
Get real-time insights, funding updates, and policy shifts shaping Korea’s innovation ecosystem.
➡️ Follow KoreaTechDesk on LinkedIn, X (Twitter), Threads, Bluesky, Telegram, Facebook, and WhatsApp Channel.