Coupang fined record amount over data leak

Coupang has been ordered to pay a record 624.68 billion won after South Korea’s privacy regulator concluded that the company was responsible for a massive data breach and unlawfully collected users’ online activity data. The penalty is the largest ever imposed by the Personal Information Protection Commission (PIPC).

At a briefing Thursday at the Government Complex Seoul, the PIPC said it would impose a total penalty of 624.68 billion won on Coupang, including 423.58 billion won for the data breach and 201.1 billion won for collecting users’ online activity records without legal authorization. The commission also levied an administrative fine of 16.8 million won and imposed a separate 248 million won penalty on Coupang subsidiary Coupang Fulfillment Services (CFS). The decision comes about seven months after the breach was first disclosed in November last year.

The penalty is about 4.6 times larger than the 134.79 billion won fine imposed on SK Telecom in August last year. The commission determined that personal information belonging to roughly 37.55 million people, including 33.22 million registered users and 4.33 million nonmembers, was exposed because of inadequate security safeguards, including poor management of certificate-signing keys and failures to detect suspicious traffic. Investigators also found that Coupang collected and stored the online activity records of 11.17 million users without a legal basis for personalized advertising.

PIPC Chairperson Song Kyung-hee said the breach was not the result of sophisticated hacking techniques but rather stemmed from lapses in the company’s basic security controls and oversight. “This incident was caused not by advanced hacking methods but by deficiencies in Coupang’s fundamental security management system and inadequate supervision,” Song said. “We did not consider any other factors surrounding the case, including whether the company was domestic or foreign.”

Coupang said it would review the commission’s formal ruling after receiving the official decision and determine its response through legal channels.


한재희 hee@donga.com