Coupang Hit with Record $409M Fine by South Korea’s Privacy Watchdog for Massive Data Breach & Unauthorized User Tracking
South Korea’s leading privacy authority has levied an unprecedented 624.68 billion won ($409 million) fine against e-commerce giant Coupang. This monumental penalty addresses a widespread data breach impacting millions and extensive unauthorized tracking of users’ online activities, underscoring the nation’s stringent stance on data privacy violations.
The Personal Information Protection Commission (PIPC) announced Thursday that the record penalty was finalized during a plenary meeting. The commission’s findings revealed critical data security lapses, indicating Coupang’s failure to implement fundamental safeguards for customer data. Specific deficiencies highlighted include inadequate management of authentication signing keys and severely weak access controls, directly contributing to the privacy incident.
This landmark fine stands as the largest ever imposed by a South Korean government agency on a company for a data breach. It significantly eclipses the prior record set in August last year, when SK Telecom faced a 134.79 billion won fine along with 9.6 million won in administrative penalties following a hacking incident. This emphasizes a growing regulatory focus on robust data protection within the country.
For global context, Ireland’s Data Protection Commission imposed a 265 million euro ($306 million) fine on Meta in 2021, related to the exposure of personal data belonging to 533 million users.
The substantial fine levied against Coupang nearly equals the $473 million in operating profit the company reported last year, underscoring the significant financial repercussions of neglecting data privacy responsibilities.
The PIPC detailed that Coupang’s critical security lapses resulted in the personal information leak of approximately 37.5 million individuals. This figure represents an upward revision from an earlier government-led investigation in February, which initially identified 33.67 million compromised records, including sensitive data such as names and email addresses. A significant portion of the total penalty, 423.58 billion won, was specifically allocated for this data breach, complemented by 16.8 million won in administrative fines.
Beyond the breach, the PIPC identified several additional privacy violations. Coupang was cited for failing to promptly notify affected individuals, neglecting its legal obligation to delete personal data, compromising the independence of its chief privacy officer, and actively interfering with the regulator’s inquiry. Consequently, the commission has mandated that Coupang implement stronger data security controls, issue notifications to affected non-members, and empower its chief privacy officer with enhanced independence and authority to prevent future privacy incidents.
In a separate but equally significant finding, the PIPC determined that Coupang engaged in unauthorized user tracking. The company collected extensive online activity records from approximately 11.17 million members as they navigated third-party websites and applications. Crucially, this collected data was stored in a manner that allowed the identification of individual users. The tracked records encompassed detailed information such as website and app visit histories, URLs, application names, access times, and IP addresses, representing a significant breach of user privacy.
For these unauthorized tracking practices, the commission imposed an additional 201.11 billion won fine. Coupang has been ordered to significantly enhance transparency in its data processing operations, offer users genuine choices regarding personalized advertising, and reinforce oversight of its advertising partners. Furthermore, the regulator highlighted Coupang’s failure to adequately supervise partners involved in “hijacking ads,” which illicitly collected users’ Coupang service usage records without explicit consent, compounding the privacy concerns.
“We apologize for causing concern to our valued customers and the public regarding the personal data leak,” stated a Coupang official in response to the ruling.
However, the official contended that Coupang’s proactive measures to prevent secondary damage and its explanations, based on clear factual evidence, were not adequately considered in the commission’s final decision.
Coupang also defended its affiliate marketing program, Coupang Partners, asserting that it operates lawfully under a global partnership model while simultaneously safeguarding customer data. The company further stated its expectation that the complete facts would be clarified through subsequent legal procedures, once it receives the commission’s official written decision.
Separately, Coupang Fulfillment Services (CFS), the company’s logistics subsidiary, also incurred penalties for distinct privacy infractions. The PIPC found that CFS illicitly collected the names of 71 reporters covering the Korean National Police Agency and subsequently placed them on an employment restriction list, despite these individuals having no prior employment history at Coupang logistics centers.
Furthermore, CFS was found to have improperly submitted sensitive personal data, specifically workers’ weight records, to a court during litigation concerning an industrial accident. This data, initially collected solely for employee health management purposes, was deemed to be handled improperly by the commission. Consequently, a separate 248 million won fine was imposed on CFS for this violation, highlighting the strict rules surrounding sensitive personal information.
