"37.5 Million Data Leaked"... Coupang Hit with Record 624.9 Billion Won Fine
More Than Four Times the Previous Record Fine Imposed on SK Telecom
Violations Confirmed: Breach of CPO Independence and Obstruction of Investigation
CFS Registered 71 Police Press Corps Members on Employment Restriction List
Coupang and its affiliate, Coupang Fulfillment Services (CFS), which were responsible for a massive personal data breach in November last year, have been fined a record-high penalty of 624.9 billion won.
The Personal Information Protection Commission convened a plenary session the previous day and, after more than 12 hours of deliberation, announced its decision to impose a penalty of 624.681 billion won on Coupang for violations including failure to implement mandatory security measures and collecting personal information without a legal basis for consent. The commission also imposed an administrative fine of 16.8 million won. CFS was fined 248 million won for violations related to personal information processing.
This amount is about half of the maximum penalty limit (up to 3% of total sales, or 1.3637 trillion won) that can be imposed under the current Personal Information Protection Act for such data breaches. It is more than four times the previous record penalty imposed on SK Telecom (134.8 billion won).
The commission concluded that Coupang's insufficient basic security management system, including poor management and access control of authentication signature keys, resulted in the leakage of personal information belonging to approximately 37.5 million individuals. Specifically, the personal information of around 33.22 million members based on account data, and at least 4.33 million non-member data subjects (based on mobile phone numbers included in delivery address management pages), was leaked.
The commission further stated, "We additionally confirmed violations such as non-compliance with notification and destruction obligations in case of leaks, failure to guarantee the independence of the Chief Privacy Officer (CPO), and obstruction of the investigation," adding, "We have issued corrective orders, including strengthening safety measures to prevent recurrence of similar incidents, implementing notification of data breaches for non-member data subjects, and ensuring the substantive role of the CPO." It also recommended improving the handling of personal information for withdrawn members and said it would check on the implementation and results within three months.
Additionally, Coupang was found to have infringed on the rights of data subjects by collecting, without consent, the online activity records of approximately 11.17 million members who accessed third-party websites and applications (apps), storing this data in its database in an identifiable form. This included visit records (URLs and app names), access dates and times, and IP addresses from users who accessed third-party sites and apps displaying Coupang advertisements.
The commission revealed, "We found that Coupang failed to properly manage and supervise advertising partners who posted fraudulent advertisements (such as kidnapping ads), resulting in the collection of Coupang service usage records against users' wishes." The commission issued corrective orders to enhance transparency in personal data processing, ensure that data subjects have meaningful options regarding personalized advertising, and strengthen management and supervision to prevent fraudulent advertisements.
In the case of CFS, the company collected and managed the list of 71 Police Agency press corps members—who had no history of working at its logistics centers—by registering them in a list for employment restrictions (violating standards for personal information collection and usage). The company also submitted employees' weight information, which it had retained for health management purposes, during a lawsuit related to industrial accidents (violating standards for handling sensitive information).
Hot Picks Today
![The Sooner You Start, the Better... "Millennials & Gen Z Should Gradually Move Stock Profits 'Here'" [Retirement Pension Investment Strategy] ⑧](https://cwcontent.asiae.co.kr/asiaresize/93/2026060208452984669_1780357529.png)
The Sooner You Start, the Better... "Millennials & Gen Z Should Gradually Move Stock Profits 'Here'" [Retirement Pension Investment Strategy] ⑧
- 'Superbug' Emerges: "Even Last-Resort Antibiotics Useless"—Now Infecting Infants as Young as 8 Months
- U.S. Embassies in Iraq and Jordan Issue Evacuation Orders for Citizens... Kuwait Closes Airspace
- "I Tried It Because It Was Trending and Lost Weight Fast"...The Soybean Milk Craze Shaking Up the Diet Market
- "I Am an Addict"… President's Troubled Son Rises as an SNS Star
Meanwhile, the commission addressed the discrepancy with the findings of the joint public-private investigative team under the Ministry of Science and ICT, which in February reported 33,673,817 leaked records. The commission explained, "The investigation team based its estimate on the number of views of the 'member information edit page' according to access logs, whereas the commission excluded cases where attackers made duplicate requests or when there was no personal information in the database due to membership withdrawals, among other reasons." The commission added, "Instead, we included at least a minimum number of non-member data subjects."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
