0
Song Kyung‑hee, chairperson of the Personal Information Protection Commission, briefs on the decision to sanction Coupang at the Government Complex Seoul in Jongno District on June 11. /Yonhap News

The government has imposed a total fine of ₩625 billion on Coupang for leaking the personal information of 37.55 million people and unlawfully collecting and storing members’ data. This is the largest fine ever levied by the government for a personal‑information breach. The Personal Information Protection Commission (PIPC) judged that Coupang neglected basic safety management despite handling data equivalent to the country’s entire economically active population, and even obstructed the government’s investigation by deleting web access logs after the breach.

On June 11, the PIPC announced at a briefing at the Government Complex Seoul that it had imposed a fine of ₩624.681 billion and an administrative penalty of ₩16.8 million on Coupang, along with corrective orders. In addition, Coupang Fulfillment Services (CFS), found to have violated personal‑information protection regulations, was fined ₩248 million.

The fine against Coupang is more than 4.5 times higher than the ₩134.8 billion imposed on SK Telecom last August for leaking 23.24 million personal records.

The PIPC held a plenary session on June 10 to deliberate on sanctions against Coupang for violating obligations to safeguard personal information. Specifically, ₩423.575 billion was levied for the data breach itself, and ₩201.106 billion for collecting and using members’ personal information without legal grounds.

According to the PIPC, the number of leaked records at Coupang totals 37.55 million—nearly 4 million more than the 33.67 million identified in February by a joint public‑private investigation team under the Ministry of Science and ICT. A former employee who had developed an alternative authentication system accessed Coupang’s service pages until November last year, extracting data from 33,222,472 members and 4,338,368 non‑members. The PIPC concluded that Coupang’s management of authentication keys and access controls, which function as master keys, was fundamentally inadequate.

The commission also considered as an aggravating factor that Coupang deleted some web log records despite a government order to preserve evidence after the investigation began in November. PIPC chairperson Song Kyung‑hee stated, “Because some app logs were deleted, we estimated the number of non‑member leaks at a minimum of 4.33 million, but there may be more. We believe the fine is a legitimate disposition based on law and principle.”

                                                                                                           Kim Hong‑chan