The security investment scale of the e-commerce (electronic commerce) corporations "Coupang," which bills itself as a global tech distribution corporations, was tallied at about 0.2% of total sales. That is low compared with global tech corporations.
◇ Security investment share is low compared with global tech corporations
According to the retail industry on the 3rd, Coupang's security industry investment relative to sales last year was tallied at about 0.2%. Coupang's sales last year were $30.268 billion. Applying the won-dollar exchange rate in Feb., the calculated sales were about 41.2901 trillion won, of which Coupang invested 86 billion won in its security system.
That is a low level compared with global tech corporations. The 2023 sales of e-commerce corporations Amazon were $574.8 billion (about 845 trillion won), and annual investment for security enhancement and the like was estimated at at least $6 billion (8.9 trillion won). Investment relative to sales was about 1%. Microsoft, Google, and JPMorgan also invest about 1.0%–1.9% of total sales.
Coupang's security investment relative to sales was also low compared with domestic rivals. According to the Korea Internet & Security Agency (KISA), Emart invested about 6 billion won in information protection last year. Last year's sales were about 29 trillion won, or about 0.2% relative to sales. Lotte Shopping invested 7.2 billion won in security. The share relative to sales is about 0.5%.
In the retail industry, the reason Coupang's security investment scale is low relative to sales is seen as the rapid expansion of its sales. Coupang's sales were only 13.9235 trillion won in 2020, but tripled in five years. A retail industry official said, "As the organization grew rapidly, internal investment should be seen as insufficient."
Some also noted that it is because of a culture that views security investment as an expense. Even if problems arise in the information protection field, the penalty surcharge is not large. According to the office of Kim Nam-geun, a member of the National Policy Committee from the Democratic Party of Korea, from Aug. 2020 to Sept. this year, a total of 10,916,495,0 cases of personal information were leaked, and the cumulative penalty surcharge was 367.115956 trillion won. The penalty surcharge per case was about 3,360 won. Under the Personal Information Protection Act, up to 3% of total sales can be imposed as a penalty surcharge in the event of a personal information leak. However, sales unrelated to the leak can be excluded from the calculation basis.
A security industry official said, "When a large amount of personal information was leaked at GS Retail early last year, retailers were expected to rush to invest in information security, but that did not happen," adding, "It is because of a structure where it is hard to voice investing expenses in things that have not happened and, even if they happen, are considered no big deal, when survival and growth right now are already pressing."
◇ Voices also say "poor internal controls are to blame"
In the retail industry, Coupang's personal information leak incident is seen as something that should be noted as having occurred due to problems with internal controls regardless of the absolute amount invested. It happened because the security token remained in place even after the employee in charge of authentication tasks at Coupang left the company. Rather, there is criticism that the problem is that money was wasted, given that the absolute amount spent in the security field itself is not small.
A retail industry official said, "Even if you change the front door to an iron door and put a gold rim on it, if the key remains the same, security will inevitably be breached," adding, "The problem is not the investment amount but that the internal manual itself should be seen as wrong." Kim Hwan-guk, a professor in the Department of Information Security and Cryptography at Kookmin University, also said, "It is usual for corporations to erase all accounts or privileges of those who leave the company, so this is puzzling." Kim Seung-joo, a professor at the Graduate School of Information Security at Korea University, said, "The core cause of this incident is a failure to control internal employees."