Coupang data leak sparks push for tougher sanctions

If the Coupang data breach, which exposed the personal information of 33.7 million users, had occurred in the United States, the company would have faced at least 980 billion won in compensation, according to a new analysis. In South Korea, the largest fine imposed so far is 134.8 billion won, levied against SK Telecom after the personal data of 23.24 million users was leaked in April. On Dec. 9, President Lee Jae-myung ordered a review of measures to enhance the effectiveness of legal sanctions.

Legal experts say compensation for personal data breach victims in the United States ranges from $20, about 30,000 won, to as much as $1,000, roughly 1.5 million won, per person. In South Korea, only individuals who actively participate in litigation are eligible for compensation. In the United States, however, victims are automatically included in class-action lawsuits through an opt-out system, which excludes only those who explicitly choose not to participate.

Kim Ik-tae, a U.S. attorney at CIL Foreign Legal Consultant Law Office, said the Coupang case clearly meets the criteria for a class-action lawsuit and that there is no reason for victims not to join. If the breach had occurred in the United States and a class-action suit were filed and won, Coupang could face between $670 million, about 980 billion won, and $33.7 billion, roughly 49 trillion won, in compensation. Separate government-imposed penalties would add to that burden. Kim added that in the United States, the financial risks for companies that fail to protect personal data are extremely high.

As criticism mounts that South Korea’s sanctions are too weak to deter data breaches, President Lee Jae-myung instructed the Cabinet Legislation Office to consider granting the Fair Trade Commission and related agencies compulsory investigative authority to strengthen economic penalties. Presidential spokesperson Kang Yoo-jung said during a briefing that the president stressed the need to make civil fines more practical, noting that stronger administrative penalties could be more effective than relying solely on criminal law. Police have also launched a compulsory investigation into Coupang.

The Cyber Investigation Unit of the Seoul Metropolitan Police Agency said it carried out a search and seizure at the company’s headquarters in Songpa District, Seoul, on suspicion of violations including intrusion into information and communications networks and unauthorized disclosure of secrets under the Information and Communications Network Act.

In the United States, preparations for a class-action lawsuit against Coupang are already underway. SJKP, the U.S. affiliate of South Korea’s Daeryun law firm, announced at a press conference at its Manhattan office on Dec. 8 that it plans to file the lawsuit against Coupang’s U.S. headquarters in the U.S. District Court in New York.


남혜정 namduck2@donga.com·