Coupang Pay, the payment gateway (PG) affiliate that handles in-app payments within Coupang, cut last year's information security spending by about 26% from the previous year. The ratio of actual spending to the initially budgeted amount for information security fell to about half over three years. After a massive data leak at Coupang recently, concerns are growing that a similar incident could occur at Coupang Pay, which operates payment services on the same platform.
According to data the Financial Supervisory Service submitted to People Power Party lawmaker Yun Han-hong on the 5th, Coupang Pay spent 3.47 billion won on information security last year. That was down 25.7% from the previous year's 4.668 billion won. Compared with 2021's 4.17 billion won, it was a 15.7% decrease.
The execution rate versus the initially budgeted information security amount also fell sharply. Coupang Pay budgeted 5.328 billion won for information security last year and executed 65.1% of it. That was slightly higher than the previous year's 62.4% but far below 2021's 131.1%. As of the end of last year, Coupang Pay had 15 information security personnel, accounting for 6.8% of all employees (222).
Last month, information from 33.7 million customer accounts was leaked at Coupang. The leaked data included customer names, email addresses, shipping address books, and some order information.
Coupang said payment information, credit card numbers, and login information were not included, but the Financial Supervisory Service (FSS) determined it could not rely solely on Coupang's account and is conducting an on-site inspection. If potential issues are found during the inspection, the FSS plans to switch to an investigation and look into the details.
Democratic Party of Korea lawmaker Kim Hyeon-jeong on the 3rd pointed out during an emergency inquiry at the National Policy Committee regarding Coupang's personal data leak that information could also be leaked at Coupang Pay. Under Coupang's "one ID" policy, those who sign up for Coupang are automatically registered for Coupang Pay.
Lee Chan-jin, the Financial Supervisory Service (FSS) governor, said, "With the one ID policy, it appears Coupang and Coupang Pay are using the platform together based on a prior agreement. We have begun an on-site inspection of Coupang Pay and will decide whether to launch an investigation as soon as findings are confirmed, and respond proactively."
A Coupang official said, "After concentrating budgets on information security for the first four years, the budget decreased starting last year as the system stabilized," adding, "Of last year's total IT budget, the security budget was 8.2%, exceeding the previous supervisory guideline recommendation of 7%, and security personnel accounted for 10% of total IT staff, double the 5% recommended standard."