The Personal Information Protection Commission imposed a penalty surcharge of more than 620 billion won on Coupang over a personal data breach and the unauthorized collection of personal information. This is the largest penalty surcharge the Personal Information Protection Commission has ever imposed on domestic corporations, about 4.6 times the previous record of 134.8 billion won on SK Telecom.
The Personal Information Protection Commission said on the 11th that at its 11th plenary meeting on the 10th it voted to impose a 624.681 billion won penalty surcharge and 16.8 million won in fines on Coupang in connection with its personal data leak and infringement. It also decided on corrective orders, disclosure orders, a complaint for prosecution, and recommendations for improvement.
The case became known when Coupang recognized a personal data leak in Nov. last year and reported it to the authorities. According to the Personal Information Protection Commission, the hacker was a former Coupang employee who had directly developed an alternative authentication system required for the login process, and it was found that from Apr. to Nov. last year the personal information of 33,222,472 members and at least 4,338,368 non-members was leaked.
The Personal Information Protection Commission concluded that the leak occurred because Coupang inadequately managed its basic safety management system. The investigation found that Coupang neglected its management obligations, such as failing to rotate or revoke authentication signing keys, and did not detect the hacker's abnormal access. It also retained the addresses and bank account numbers of withdrawn members without destruction, and it did not notify of the leak within the statutory 72-hour deadline.
In addition, the Personal Information Protection Commission said it confirmed during the investigation that after an order to preserve evidence, Coupang manually deleted part of the web access logs and obstructed the chief privacy officer's (CPO) response to the investigation.
The Personal Information Protection Commission decided to impose a 423.575 billion won penalty surcharge for actions that caused the personal data leak, and 16.8 million won in fines for violating notification and destruction obligations related to the leak.
The Personal Information Protection Commission also confirmed that Coupang collected without consent the records of other companies' online activities of about 11.17 million members who accessed its website or app, and stored them in databases (DB) in a way that could identify individual users. The collected information included users' visit records such as URLs or app names, connection time, and connection IP addresses.
It was additionally confirmed that, by failing to properly manage and supervise advertising partners that ran fraudulent ads (ad hijacking), Coupang allowed its service usage records to be collected against users' wishes. The Personal Information Protection Commission imposed a 201.106 billion won penalty surcharge for these violations as well.
To prevent a recurrence, the Personal Information Protection Commission ordered strengthened security measures, notifications of the leak to data subjects who are not members, and guarantees of the CPO's substantive role. It also recommended improvements related to the processing system for withdrawn members' personal information and said it would verify implementation and the results within three months.
The sanctions are the largest penalty surcharge the Personal Information Protection Commission has imposed on domestic corporations. Industry observers expected severe discipline, given the scale of the 33.67 million cases of leaked data and controversies over the incident response.
Under current law, a personal data breach can draw a penalty surcharge of up to 3% of revenue, and based on Coupang's revenue last year (45.5 trillion won), the statutory cap is about 1.365 trillion won. However, the actual amount imposed is determined comprehensively by considering the degree of violation, the scale of harm, and post-incident measures.
Meanwhile, at the meeting the previous day, the Personal Information Protection Commission confirmed that Coupang Fulfillment Services (CFS) violated restrictions on the collection and use of personal information and the processing of sensitive information, and imposed a 248 million won penalty surcharge. CFS had collected a list of 71 reporters with access to the Korean National Police Agency who had no prior work history at its logistics centers and registered and managed them on an employment-restriction list, which the Personal Information Protection Commission judged to violate rules on the collection and use of personal information.
The commission also concluded that CFS submitting workers' weight information, which it held and managed for the purpose of "employee health management," to the court during litigation related to an industrial accident constituted a violation of sensitive information processing.