Personal Information Committee Fines Coupang 624.6 Billion Won for 'Personal Information Leak' – Record Amount

South Korea's Personal Information Protection Commission (PIPC) has imposed a record-breaking fine of 624.6 billion won (approximately $450 million) on e-commerce giant Coupang and its affiliates for a significant personal data leak. This penalty marks the largest fine ever issued by the commission, dwarfing the 134.8 billion won penalty levied against SK Telecom last year.

The PIPC's decision, made during a plenary session on June 10, also includes a 16.8 million won administrative fine for Coupang and a separate 248 million won fine for Coupang Fulfillment Services (CFS). Additional measures such as corrective orders, public announcements, and referrals for prosecution were also decided.

An investigation revealed that Coupang failed to implement basic security measures, including inadequate management of authentication signature keys used for internal system access. This lapse allowed former employees to access systems, leading to the exposure of 37.5 million personal data records. The commission also cited violations such as failure to notify and destroy leaked personal information, inadequate protection responsibility, and obstruction of investigation.

To prevent recurrence, the PIPC issued a corrective order requiring enhanced security measures and notification to data subjects who are not members. Coupang has also been recommended to improve its handling of data for withdrawn members and ensure the substantive role of its Chief Privacy Officer (CPO). The commission plans to review Coupang's compliance within three months.

The investigation also uncovered multiple instances of Coupang infringing upon users' rights. The PIPC found that Coupang unlawfully collected and stored the online activity records of approximately 11.17 million members on external websites and apps, identifying individuals in its databases without legal grounds. This collected data included browsing history and access times. Furthermore, Coupang was criticized for failing to adequately manage advertising partners who posted deceptive ads, leading to the collection of service usage records without user consent. Coupang has been ordered to improve transparency in data processing, ensure users' meaningful choices regarding personalized advertising, and strengthen oversight of fraudulent advertising.