Advertisement
UK

Coupang fined record $400m over data breach affecting 37.5 million users

South Korea's PIPC fined Coupang a record $400m after a data breach exposed 37.5 million users' data.

UK

Coupang fined record $400m over data breach affecting 37.5 million users

South Korea has hit online retail giant Coupang with a record $400m (£299m) fine after a data breach exposed the personal details of more than 30 million customers – a figure that represents over half of the country’s 50 million population.

The penalty, the largest ever issued by Seoul’s Personal Information Protection Commission (PIPC), follows a leak that revealed names, contact and delivery details and order histories of customers on the platform often described as South Korea’s equivalent of Amazon.

South Korea's PIPC fined Coupang a record $400m after a data breach exposed 37.5 million users' data.

The commission found that a lack of safeguards – including poor management of authentication signing keys and access controls – had resulted in the personal data of around 37.5 million users being exposed. In addition to the 423.6bn won fine for the breach, the regulator imposed a further 201bn won for the non-consensual collection of information.

Advertisement

Coupang said it “deeply regrets the concern caused” and would strengthen its security measures, but added that it planned to challenge the decision. “Upon receiving the official resolution from the PIPC, we expect that the facts will be clearly established through legal procedures,” the company said, arguing that its explanations and measures to prevent further harm “were not sufficiently reflected” in the commission’s ruling.

The decision follows a months-long probe after allegations of the data leak surfaced in November. Coupang told the BBC at the time that it was initially alerted to a breach involving 4,500 customer accounts and immediately reported it to the authorities. But later checks found that nearly 34 million customer accounts – all in South Korea – were likely exposed. The breach is believed to have begun as early as June through a server based abroad.

In the wake of the incident, Coupang’s boss Park Dae-jun resigned, apologising for the breach. The platform’s chief administrative officer Harold Rogers was appointed interim CEO.

Advertisement

The case is the latest in a series of high-profile cyber-security incidents to hit South Korean firms last year, despite the country’s reputation for tight data privacy standards. Its largest mobile operator, SK Telecom, was fined nearly $100m over a breach involving more than 20 million subscribers.

Advertisement
Advertisement