Republic of Korea: Personal Information Protection Commission required Coupang to implement corrective notification, public disclosure, and strengthened mitigation measures following investigation into data leak

On 3 December 2025, the Personal Information Protection Commission (PIPC) convened an emergency full Commission meeting and required Coupang to implement corrective notification, public disclosure, and strengthened mitigation measures following its investigation into the personal information leakage of customer and account data. PIPC confirmed that Coupang had issued notifications titled “exposure,” removed its website notice after one to two days, and omitted leaked items such as shared-apartment entrance passwords. PIPC instructed Coupang to amend and reissue notifications reflecting “leakage,” include all leaked items, disclose the leakage prominently for a sufficient period, provide preventive guidance to users, strengthen internal monitoring, expand its help-desk capacity, and submit action results within seven days. PIPC stated it will continue investigating the cause, scope, leaked items, and compliance issues. These decisions follow earlier escalation: PIPC announced an investigation on 30 November 2025 after receiving initial notice of a leak on 20 November and commencing investigative work on 21 November, followed by a second leak notification on 29 November. The initial figure of 4’536 affected customers was revised to more than 30 million compromised accounts, prompting the Ministry of Science and ICT to prepare a public-private joint investigation team and, together with PIPC, issue a security notice to prevent secondary damage.