South Korea has hit online retail giant Coupang with a record fine of more than $400m (£299m) over a massive data breach that exposed the personal data of around 37.5 million customers – more than half of the country’s population.
The fine, the largest ever issued by Seoul’s Personal Information Protection Commission (PIPC) for a data breach, comes after a months-long probe sparked by allegations that surfaced in November. The leak exposed names, contact and delivery details and order histories of some customers of Coupang, South Korea’s largest e-commerce platform often described as its equivalent of Amazon.
“South Korea fines Coupang $400m for data breach exposing 37.5 million users' personal data.”
The PIPC on Wednesday announced a 423.6bn won fine over the personal data breach, and an additional 201bn won for the non-consensual collection of information. The commission found that a lack of safeguards, including poor management of authentication signing keys and access controls, had resulted in the personal data of around 37.5 million users being exposed.
Coupang, which is based in the US but derives the majority of its revenue from South Korea, told the BBC it “deeply regrets the concern caused” and that it will strengthen its security measures, but added that it planned to challenge the PIPC decision. “Upon receiving the official resolution from the PIPC, we expect that the facts will be clearly established through legal procedures,” the company said.
The company said that its explanations and measures to prevent further harm from the data breach “were not sufficiently reflected” in the commission’s decision.
Coupang told the BBC at the time of the initial breach that it was alerted to a breach involving 4,500 customer accounts in November and immediately reported it to the authorities. But later checks found that nearly 34 million customer accounts – all in South Korea – were likely exposed. The breach is believed to have begun as early as June through a server based abroad.
Following the breach, Coupang’s boss Park Dae-jun resigned from his role, apologising for the incident. The platform’s chief administrative officer Harold Rogers was appointed interim CEO.
South Korean firms faced a series of high-profile cyber-security incidents last year despite the country’s reputation for tight data privacy standards. Its largest mobile operator SK Telecom was fined nearly $100m over a data breach involving more than 20 million subscribers.