South Korea's data protection regulator has completed its investigation into the massive data breach of e-commerce giant Coupang and is expected to make a final penalty decision as early as next month, sources said on Tuesday. Security industry sources said that South Korea’s Personal Information Protection Commission (PIPC) recently completed its investigation into the data breach of more than 33 million Coupang users and informed the company of its findings early last month.

The notice lists Coupang’s alleged violations of the Personal Information Protection Act, as well as possible corrective measures that regulators may take, sources said. However, the notice did not mention the specific amount of the fine.

According to its regulations, the Korea Personal Information Protection Commission must notify those suspected of violating the data protection law of the penalties and give them at least 14 days to express their opinions.

Sources believe that in its opinion, Coupang opposed the overall measures that the regulator may take.

Industry insiders believe that the final penalty decision may be made as early as next month, and the Korean Personal Information Protection Commission aims to conclude the case in the first half of this year.

According to South Korea's data protection law, companies that experience personal information leaks may be fined equal to 3% of average annual sales over the past three years, but business sales unrelated to the violation are exempt from fines.

According to Coupang’s U.S.-listed parent company Coupang Inc. With sales in 2025 (about 49 trillion won, or about $32.2 billion), regulators can theoretically impose fines of up to 1.5 trillion won.

Last year, South Korea's Personal Information Protection Commission fined SK Telecom 134.8 billion won over a data breach, the highest fine ever issued by the regulator.

Coupang reported a data breach in November last year that exposed customers' personal information including names, phone numbers and delivery details.

In February this year, a joint public-private investigation confirmed that more than 33.6 million account information had been compromised.