As the Personal Information Protection Commission (hereinafter Personal Information Protection Commission (PIPC)) imposed a record-high penalty surcharge of about 624.7 billion won on Coupang, the retail sector is on edge. With personal data leaks recently occurring at CU's parcel service and CJ ENM's Tving, the Personal Information Protection Commission held the company accountable not only for the scale of the leak but also for the overall collection and management system. In particular, it determined that the incident stemmed from inadequate basic safety management, not a sophisticated hacking attack.
According to the industry on the 11th, the Personal Information Protection Commission (PIPC) held a full meeting the previous day and resolved to impose a 624.681 billion won penalty surcharge and 16.8 million won in fines on Coupang. This is the largest penalty surcharge ever imposed by the Personal Information Protection Commission (PIPC). The previous high was 134.8 billion won, levied last year over SK Telecom's USIM information leak.
The retail sector is paying attention to the fact that this sanction holds corporations accountable for their overall information protection systems, beyond just a personal data leak. As the Personal Information Protection Commission (PIPC) flagged not only the leak but also the collection of personal data without legal basis, retail corporations holding large volumes of member data are growing more alert.
Personal data leaks have occurred one after another recently in the retail sector. On the 8th, BGF Networks, which operates the parcel service for BGF Retail's CU convenience stores, announced a personal data leak. It said the cause was an external attack by an unidentified party, and the leaked information included IDs, passwords, names, gender, and addresses.
Earlier, Tving, an online video service (OTT) subsidiary of CJ ENM, said on the 3rd that there was unauthorized access to databases (DB) storing personal information, resulting in leaks of personal data such as IDs, names, and dates of birth.
The Personal Information Protection Commission (PIPC) determined that Coupang's personal data leak occurred due to deficient basic safety management and poor oversight by the company, not a sophisticated hack. The number of people affected is about 37.5 million, up about 4 million from the 33.67 million announced in February by the Ministry of Science and ICT's public-private joint investigation team.
The Personal Information Protection Commission (PIPC) said, "Coupang neglected to manage access rights to authentication signing keys, and even though there were abnormal connections—such as a sharp increase in traffic to pages containing personal information during the attack period compared with normal times—Coupang failed to recognize it."
It also took issue with violations of the obligations to notify leaks and to destroy personal information, the failure to ensure the independence of the chief privacy officer (CPO), and obstruction of the investigation. It said that even after recognizing the leak of members' personal information, the company did not notify them in a timely manner and did not notify non-members at all. It also said the company failed to follow its internal rule requiring the destruction of member information 90 days after withdrawal.
In December last year, while conducting its own investigation into the hacker and disclosing the results on its website, Coupang excluded the CPO from the decision-making process and did not share relevant information. The Personal Information Protection Commission (PIPC) said, "This was not merely a lack of internal communication but the hollowing out of the CPO system, which is central to the personal information protection framework, effectively neutralizing the independent authority of the CPO guaranteed by the Protection Act."
Beyond the leak incident, it also confirmed that Coupang had collected without authorization the online activity records of about 11.17 million members who accessed third-party websites and applications (apps). It stored users' visit histories, connection times, and connection IPs in databases (DB) with personal identifiers, and oversight of fraudulent advertising ("ad hijacking") was found to be inadequate.
Despite corporations' security investments and strengthened internal controls, personal data leaks have continued to recur, and the Personal Information Protection Commission (PIPC) has been ramping up its enforcement stance. An amendment to the Personal Information Protection Act allowing penalty surcharges of up to 10% of revenue when large-scale leaks occur due to intent or gross negligence is set to take effect in Sep. It will not be applied retroactively to incidents that occurred before implementation.
Separately from Coupang, the Personal Information Protection Commission (PIPC) also sanctioned its affiliate, Coupang Fulfillment Services (CFS), that day. It imposed a 248 million won penalty surcharge over practices including managing a list of reporters accredited to the Korean National Police Agency—who had no work history at the logistics center—as a hiring restriction list, and using employees' weight data in industrial accident lawsuits.
◇ Coupang "We will clarify the facts through legal procedures"
Coupang expressed regret in a statement after the Personal Information Protection Commission (PIPC) announced its sanctions. Coupang said, "We apologize for causing concern to our customers and the public due to this incident," but added, "Regarding last year's data leak, we regret that our proactive measures to prevent secondary damage and our explanations based on clear facts were not fully reflected in the Personal Information Protection Commission (PIPC)'s decision."
It also suggested future legal action. Coupang said, "We will further strengthen our personal information protection framework and work with renewed commitment to regain customer trust," adding, "We expect the facts to be clearly established through legal procedures after we receive the official resolution from the Personal Information Protection Commission (PIPC)."
However, because the penalty surcharge is recognized as an expense in the quarter when the disposition is finalized, it is expected to weigh on second-quarter results. In the first quarter of this year, Coupang also posted an operating loss of 354.5 billion won due to the fallout from the data leak and compensation costs. Since the size of the penalty surcharge is close to last year's annual operating profit (about 679 billion won), there are concerns that medium- to long-term profitability and investment plans could be disrupted.