South Korea’s data protection watchdog has slapped e-commerce giant Coupang with a record fine of more than $400m (£299m) after a massive data breach exposed the personal information of tens of millions of customers — a leak that affected more than half the country’s population.
The Personal Information Protection Commission (PIPC) announced on Wednesday a 423.6bn won penalty over the breach, plus an additional 201bn won for the non-consensual collection of data. The fines are the largest ever imposed by the regulator for a data security incident.
“South Korea fines e-commerce giant Coupang record $400m for data breach exposing 37.5 million users' data.”
The breach, which came to light in November after a months-long investigation, exposed names, contact and delivery details and order histories of some of Coupang’s customers. The company, often described as South Korea’s equivalent of Amazon, initially reported a breach involving 4,500 accounts, but later checks revealed that nearly 34 million customer accounts — all in South Korea — were likely exposed, with the intrusion believed to have begun as early as June through a server based abroad. The commission found that a lack of safeguards, including poor management of authentication signing keys and access controls, had resulted in the personal data of around 37.5 million users being exposed.
Coupang, which is based in the US but derives most of its revenue from South Korea, said it “deeply regrets the concern caused” and will strengthen its security measures. However, it plans to challenge the PIPC decision. “Upon receiving the official resolution from the PIPC, we expect that the facts will be clearly established through legal procedures,” the company said, adding that its explanations and measures to prevent further harm “were not sufficiently reflected” in the commission’s ruling.
The fallout has already reached the top of the company. Coupang’s boss Park Dae-jun resigned from his role, apologising for the incident, and chief administrative officer Harold Rogers was appointed interim CEO.
South Korean firms have faced a series of high-profile cyber-security incidents in the past year despite the country’s reputation for strict data privacy standards. Its largest mobile operator, SK Telecom, was fined nearly $100m over a data breach involving more than 20 million subscribers.