Coupang hit with record 624.7 billion won fine by Korean regulator over privacy violations

South Korea's Personal Information Protection Commission (PIPC) has levied a record-breaking fine of 624.7 billion won (approximately US$410 million) against e-commerce behemoth Coupang for significant privacy violations. An additional penalty of 16.8 million won was also imposed, marking the largest sanction ever issued by the watchdog against any conglomerate, domestic or foreign.

The PIPC's investigation revealed that Coupang unlawfully collected and stored the online activity records of over 11 million users who interacted with Coupang advertisements on external websites and apps, without any legal basis. Furthermore, the commission found that Coupang's inadequate management of its key management system allowed a former employee to conduct a cyberattack, leaking the personal information of approximately 37.5 million individuals. This figure includes 33.22 million members and 4.33 million non-members, a number higher than initially reported.

The data breach exposed sensitive information, including delivery addresses of family members and friends, apartment entrance passwords, and order details. In some instances, un-de-identified apartment passwords were directly accessed by the hacker. The leaked information also included sensitive purchase histories, such as adult toys and underwear, which were later used in blackmail attempts against Coupang. The company faced criticism for causing confusion by initially reporting the breach affected only 3,000 people, based solely on the hacker's unverified testimony.

Coupang issued a statement expressing regret, asserting that the PIPC's decision did not adequately reflect the company's preemptive measures to mitigate secondary damage or its explanations based on factual relationships. The e-commerce giant indicated its intention to pursue legal action, including filing an administrative lawsuit, to contest the substantial fine.

“

Coupang expressed regret that the PIPC “did not reflect our preemptive measures taken to prevent secondary damage related to the crisis and the explanations based on clear factual relationships in its decision.”