The customer data leak at Coupang, Korea's No. 1 e-commerce company, is escalating into a move for a consumer class-action lawsuit. Although there have been several similar cases in the past, based on the number of leaked cases, some say it could become the largest damages suit ever. There are also projections that the penalty surcharge imposed by the Personal Information Protection Commission (PIPC) could reach the trillion-won level.
According to the industry on the 1st, Coupang is monitoring collective actions such as a consumer class-action lawsuit in connection with the recent customer data leak. For now, online cafes and chat rooms are being created to recruit people to push for a class-action suit, but if it leads to an actual lawsuit, legal action will be inevitable.
After the Coupang data leak was revealed on the 29th, cafes preparing for a class-action suit were opened one after another on major portal sites. Among them, the Naver cafe named "Coupang personal data leak class-action suit" had more than 10,000 members as of 8 a.m. that day. Dozens of open chat rooms have also formed on KakaoTalk, and some have reached their capacity of 3,000 people.
Attorney Kim Kyung-ho of Hoin Law Office said on her social networking service (SNS) the previous day, "The essence of the situation is not an irresistible disaster like hacking, but the responsibility lies with the corporations (Coupang) that failed to detect a massive leak for nearly half a year," adding, "We will file a lawsuit with the Seoul Central District Court on the 24th to have Coupang compensate 100,000 won per victim. In just one day, 1,650 people (as of 11 p.m. the previous day) have joined."
If a class-action suit against Coupang materializes, observers say the company could face the largest compensation amount ever. Based on past cases, the per-person compensation is estimated at around 100,000 won, and because the number of leaked accounts reaches 33.7 million, many people could participate in the suit.
In 2016, when Interpark was hacked, data on 10.3 million people was leaked, leading to a class-action suit, and in 2020—four years later—the court ordered compensation of 100,000 won per person for 2,400 participants. In the data leaks at NH Nonghyup, KB Kookmin, and Lotte Card in 2014 (140 million cases), and Modetour Network in 2024 (3.06 million people), the compensation was also set at 100,000 won per person (70,000 won for Lotte Card).
Of course, lawsuits can take a long time, and it is not easy to prove property damage or corporate negligence, so there are many cases where plaintiffs lost and received no compensation. In the 2012 KT data leak affecting 8.7 million people, the first trial ruled compensation of 100,000 won per person, but years later the Supreme Court did not recognize liability. In the 2011 Nate and Cyworld data leak, the Supreme Court did not finalize recognition of liability until 2018.
Ultimately, the key issues in the litigation are expected to be Coupang's negligence and whether customers suffered damage. Authorities will need to examine whether Coupang violated safety obligations related to personal data protection such as access control, access rights management, and encryption, and assess the extent of customer harm. If there was no material (property) damage, mental damage must be proven.
Choi Kyung-jin, a professor of law at Gachon University, said, "Given the large number of people and the fact that information has already been leaked, in litigation terms alone it will be enormous," adding, "Because payment-related information was not included, I see negligence rather than damage as the core issue." He also said, "Circumstantially, a Chinese national employee resigned and over several months information management (access control) was not done properly, which is a serious problem."
Some note, however, that it is difficult to predict the legal battle until there are specific investigation results and a disposition. The government launched a joint investigation team with the private sector the previous day and began analyzing the cause of the incident, and police also started an investigation. The joint team decided to conduct additional probes into sensitive information such as payment data and passwords, as the scale of damage expanded sharply in follow-up checks after Coupang's first report (Nov. 20, 4,536 cases).
Kim Seung-joo, a professor at the Korea University Graduate School of Information Security, said, "Because it has not been revealed exactly what technique was used to leak the information, it is difficult to compare with past cases yet," adding, "The leaked information and the scale of damage could change after investigation." Professor Choi also said, "Even strategically, it is paramount to pinpoint exactly what went wrong."
There is also speculation that the Personal Information Protection Commission (PIPC) will impose a record penalty surcharge on Coupang. SK Telecom this year was ordered to pay a record 134.8 billion won in penalty surcharge for personal data protection violations tied to a leak affecting 23.24 million people. That resulted from applying the calculation standard under the Personal Information Protection Act revised in 2023, which allows a penalty surcharge of up to 3% of total sales. Applying that to Coupang, whose sales last year exceeded 38 trillion won, the penalty surcharge would top 1 trillion won.