Record Fine Imposed on Coupang for Data Breach
South Korea has imposed a record fine exceeding $400 million (£299 million) on the online retail giant Coupang following a significant data breach that compromised the personal information of over 30 million customers last year.
This penalty represents the largest fine ever issued by Seoul's Personal Information Protection Commission (PIPC) in relation to a data breach.
Details of the Data Exposure
The breach exposed sensitive customer information including names, contact and delivery details, as well as order histories. Coupang is South Korea's largest e-commerce platform and is often compared to Amazon.
The company issued a statement to the BBC expressing regret over the incident and committed to enhancing its security measures. However, Coupang also indicated plans to contest the PIPC's ruling.
The scale of the breach is significant, affecting more than half of South Korea's population, which is approximately 50 million people.
Commission's Findings and Fine
On Wednesday, the PIPC announced a fine of 624.68 billion won against Coupang, citing violations of safety obligations and the unlawful collection of personal data.
The commission's investigation revealed insufficient safeguards, including poor management of authentication signing keys and inadequate access controls, which led to the exposure of personal data belonging to roughly 37.5 million users.
Coupang's Response to the Decision
Coupang stated that its explanations and preventative measures were not adequately considered in the commission's decision.
"Upon receiving the official resolution from the PIPC, we expect that the facts will be clearly established through legal procedures," said Coupang.
Background and Investigation
The fine follows a prolonged investigation that began after allegations of the data leak emerged in November.
Although Coupang is headquartered in the United States, the majority of its revenue is generated in South Korea.
In November, Coupang informed the BBC that it had been alerted to a breach affecting 4,500 customer accounts and promptly reported the incident to authorities. Subsequent investigations revealed that nearly 34 million customer accounts in South Korea were likely compromised. The breach is believed to have started as early as June via a server located abroad.
Leadership Changes and Industry Context
Following the breach, Coupang's CEO Park Dae-jun resigned and issued an apology for the incident. Harold Rogers, the platform's chief administrative officer, was appointed as interim CEO.
South Korean companies experienced several high-profile cybersecurity incidents last year despite the country's reputation for stringent data privacy standards.
For instance, SK Telecom, the nation's largest mobile operator, was fined nearly $100 million due to a data breach affecting over 20 million rs.
