Coupang Faces Record-Breaking Fine After Massive Data Breach
South Korea's e-commerce giant, Coupang, is currently embroiled in a significant controversy, facing the prospect of an unprecedented fine that could soar to nearly 1 trillion won (approximately $770 million USD). This comes in the wake of a monumental data breach that has compromised the personal information of 33.7 million users, marking it as the largest data leak in the nation's history.
The company officially acknowledged on Saturday that customer accounts had been compromised. The breach exposed a trove of sensitive data, including individuals' names, email addresses, and comprehensive delivery address books containing phone numbers and physical addresses. Furthermore, certain order-related information was also part of the leaked data.
PIPC Investigation and Potential Penalties
In response to the severity of the incident, the Personal Information Protection Commission (PIPC) swiftly launched an investigation the very next day. The inquiry aims to ascertain whether Coupang neglected to implement crucial mandatory safeguards, such as robust access control mechanisms, comprehensive rights management protocols, and essential data encryption measures, as stipulated by law.
Under the provisions of Korea's Personal Information Protection Act, companies found in violation can face penalties amounting to up to 3 percent of the revenue directly associated with the compromised data. Given Coupang's substantial domestic revenue, which for the first three quarters of the current year alone is estimated at 31.226 trillion won, a maximum penalty could indeed approach the staggering 1 trillion won mark. This potential fine could even escalate further if revenues from integrated services, like Coupang Play and Coupang Eats — both integral components of the "Wow" membership program — are factored into the calculation.
Comparing to Past Data Breach Fines
Domestic Precedents
Historical precedents suggest that a fine of this magnitude is not entirely implausible. The previous record for such a penalty in South Korea was imposed on SK Telecom, which was ordered to pay 134.8 billion won following a breach impacting 23.24 million customers. Considering the Coupang leak dwarfs this previous incident in scale, market analysts anticipate an even more substantial fine in the present case.
Global Tech Giants' Penalties
Globally, major tech entities have also grappled with colossal penalties for significant data breaches. Meta, which, like Coupang, holds a Nasdaq listing, incurred a $5 billion fine in 2019 for the unauthorized sharing of Facebook user data with a political consulting firm. Similarly, U.S. telecom giant T-Mobile agreed to a $350 million compensation payout after a 2021 breach affected 76.6 million individuals, with the initial agreement allowing up to $25,000 per victim.
Coupang's Track Record of Sanctions
Coupang's record isn't unblemished when it comes to administrative sanctions related to personal information leaks. Past incidents, all attributed to internal operational issues rather than external cyberattacks, have resulted in fines. For instance, an application update error in October 2021 briefly exposed the names and shipping addresses of 14 customers. Between August 2020 and November 2021, the names and phone numbers of approximately 135,000 Coupang Eats delivery drivers were inadvertently sent to restaurants. Most recently, in December 2023, personal details belonging to 22,000 customers were exposed via Coupang's seller-exclusive platform. However, the cumulative fines for these three prior incidents amounted to a mere 1.6 billion won.
It's important to note that the final penalty in the current case could be significantly reduced. Regulators often scale down fines when companies demonstrate proactive remedial actions post-breach, as seen with SK Telecom whose initial fine of 370 billion won was eventually trimmed to 134.8 billion won.
Civic Groups Demand Stronger Protections
In light of these repeated issues and the potential for reduced fines, civic groups are vociferously advocating for more stringent consumer protection laws. Their demands include the implementation of class-action litigation, punitive damages, and mandatory evidence disclosure. These groups warn that without the genuine threat of bankruptcy for corporations that mishandle personal information, meaningful improvements in data security will remain elusive, thereby undermining the Korean government's aspirations to become a global leader in artificial intelligence.