Coupang faces potential $770 mil. fine after data breach

The Coupang headquarters in Seoul / Yonhap

Coupang, Korea’s leading e-commerce company, is facing the possibility of a record-breaking fine that could reach up to 1 trillion won ($770 million) following a massive data breach.

The incident, which exposed the personal information of 33.7 million users, is now the largest data leak in the nation's history. On Saturday, Coupang confirmed that customer accounts had been compromised, with leaked data including names, email addresses and delivery address books containing phone numbers and physical addresses. Some order information was also exposed.

In response, the Personal Information Protection Commission (PIPC) launched an investigation the following day to determine if Coupang failed to implement mandatory safeguards such as access control, rights management and data encryption.

Under the Personal Information Protection Act, companies can be fined up to 3 percent of the revenue directly related to the compromised data. With Coupang's domestic revenue for the first three quarters of this year already at an estimated 31.226 trillion won, a maximum penalty could approach the 1 trillion won mark. This figure could rise further if revenue from integrated services like Coupang Play and Coupang Eats, both of which are accessible through the "Wow" membership, is included in the calculation.

Past cases indicate that a fine of this magnitude is plausible.

The previous record fine was levied against SK Telecom, which was ordered to pay 134.8 billion won for a breach affecting 23.24 million customers. Given that the Coupang leak is significantly larger in scale, market watchers anticipate a steeper fine in this case.

Globally, other tech giants have faced similarly enormous penalties for major data breaches.

Meta, which, like Coupang, is listed on Nasdaq, was fined $5 billion in 2019 for sharing Facebook user data with a political consulting firm. U.S. telecom operator T-Mobile, which suffered a breach affecting 76.6 million people in 2021, agreed to pay up to $25,000 per victim. The company ultimately paid out $350 million in compensation.

Coupang has a history of receiving administrative sanctions, including fines, for past personal information leaks, all of which stemmed from internal issues rather than external cyberattacks.

In October 2021, an error during an app update caused the names and shipping addresses of 14 customers to be exposed under the product search bar for about an hour.

From August 2020 to November 2021, the names and phone numbers of about 135,000 delivery drivers on the food delivery platform Coupang Eats were sent to restaurants.

In December 2023, personal information, including the details of 22,000 customers, was exposed through Coupang's seller-exclusive system.

However, the total amount of fines and penalties imposed on Coupang for these three personal information exposure and leak incidents came to just 1.6 billion won.

Based on past cases, the final penalty could be significantly lower, as regulators often reduce fines when companies take remedial actions after a breach. For example, SK Telecom’s initial fine of 370 billion won was reduced to 134.8 billion won.

As a result, civic groups have called for stronger consumer protections, including class action laws, punitive damages and mandatory evidence disclosure. They warn that without the real risk of bankruptcy for companies that leak personal information, improvements in data security will remain limited, and the Korean government's ambition of becoming an artificial intelligence powerhouse will remain mere rhetoric.

In response to public outcry over the Coupang data breach, presidential chief of staff Kang Hoon-sik on Monday instructed senior presidential secretaries to explore measures to ensure that the punitive damages system functions effectively when a company’s responsibility is clear.

According to presidential deputy spokesperson Jeon Eun-soo, Kang emphasized that the current punitive damages system is virtually ineffective, limiting efforts to prevent large-scale data breaches.

He also noted that the fact similar incidents have occurred four times at Coupang since 2021 underscores structural weaknesses in the country’s overall personal information protection system.