South Korea’s Personal Information Protection Commission fined e-commerce company Coupang 624.6 billion won, about $409 million, after a data breach that affected more than 37 million customers.
KEY FACTS
- Fine The regulator imposed a record penalty on Coupang and a separate 248 million won fine on its fulfillment subsidiary.
- Impact Investigators said personal information for about 37.55 million people was exposed.
- Issues cited The case involved weak authentication key management, poor access controls, and violations of destruction and leak notice rules.
- Compensation Coupang said it planned to pay 1.685 trillion won and issue purchase vouchers to affected customers.
The regulator said the breach stemmed from inadequate security practices, including failures in authentication key management and access controls. It also cited interference with the independence of Coupang’s data protection officer and obstruction of the investigation.
A disclosure from the regulator said the company violated safety measure obligations and collected personal information without a legal basis. The same disclosure said corrective orders, announcements and publication orders were also imposed.
The breach happened in late June but was not discovered until mid-November, when the company said 33.7 million accounts had been compromised. Authorities later identified a 43-year-old former employee in the IT department as the main suspect.
Coupang later said the suspect had returned multiple hard drives containing sensitive data and disposed of a laptop in a river in an attempt to destroy evidence. The company also said user data for about 3,000 accounts had been retained by the suspect but was deleted from all devices and not shared with others.
WHY IT MATTERS
The case is one of the largest privacy penalties imposed in South Korea and underscores the scale of exposure when controls around access and key management fail. It also highlights the financial and operational cost of delayed breach detection for large consumer platforms.