Coupang Fined 624.6 Billion Won for Data Breach and Unauthorized Collection of Personal Information

The Personal Information Protection Commission (PIPC) has imposed a total fine of 624.6 billion won on Coupang for leaking the personal information of 37.5 million people and collecting members' online activity records without legal basis.

The commission issued a fine of approximately 423.6 billion won for the personal information breach, and a separate fine of 201.1 billion won for violations including the unauthorized collection of online activity records of over 10 million members.

This is the largest fine ever imposed for a single personal information breach, and the highest total amount of fines levied against a single company for multiple violations.

The PIPC announced today (June 11) that it held a plenary meeting at the Government Complex Seoul on June 10 to deliberate on sanctions regarding Coupang's failure to fulfill its obligations for personal information safety measures, deciding to impose a fine of 423.575 billion won.

The commission also decided to impose an administrative fine of 16.8 million won on Coupang.

The PIPC concluded that the personal information of approximately 37.5 million people was leaked due to inadequate basic safety management systems, such as poor management of authentication signature keys and lax access control at Coupang.

During the investigation, the commission also confirmed additional violations, including failure to notify users of the data breach, failure to fulfill obligations to destroy personal information, failure to ensure the independence of the Chief Privacy Officer (CPO), and obstruction of the investigation.

The PIPC issued corrective orders to Coupang, requiring the company to strengthen safety measures to prevent the recurrence of similar incidents, notify data subjects who are not members of the breach, and ensure the practical role of the CPO.

The commission also recommended improvements regarding the personal information processing system for withdrawn members and decided to verify the implementation and results of these measures within three months.

In addition, the PIPC confirmed that Coupang had unauthorizedly collected the online activity records of approximately 11.17 million members who visited third-party websites and apps, storing them in a database (DB) while identifying individual users. A separate fine of 201.1066 billion won was imposed for this violation.

When combined with the approximately 423.6 billion won fine for the personal information breach, the total amount of fines imposed by the PIPC on Coupang reaches 624.681 billion won.

The online activity records of members that Coupang collected without authorization include user visit records to third-party websites and apps (URLs, app names, etc.), access dates and times, and IP addresses.

The PIPC also confirmed that Coupang failed to properly manage and supervise advertising partners who posted so-called "hijacking ads," which are fraudulent advertisements.

Consequently, the commission found that records of users' service usage were collected against their will.

The PIPC issued corrective orders to Coupang to enhance the transparency of personal information processing, ensure that data subjects have practical choices regarding personalized advertisements, and strengthen management and supervision to prevent fraudulent advertisements.

Furthermore, the PIPC determined that Coupang Fulfillment Service (CFS), a subsidiary operating Coupang's logistics centers, violated regulations regarding the collection and use of personal information by collecting a list of 71 reporters from the National Police Agency who had never worked at the logistics centers and registering them on a list of individuals restricted from employment.

The commission also imposed a separate fine of 248 million won for the violation of sensitive information processing, as the company submitted employees' weight information—held and managed for the purpose of "employee health management"—to the court during litigation related to industrial accidents.
※ Please note: This article was translated by AI and may contain errors.