PIPC Imposes Record Fine of Up to 625 Billion Won on Coupang After 13-Hour Deliberation

The total fine of nearly 625 billion won imposed by the Personal Information Protection Commission (PIPC) on Coupang and its logistics subsidiary, Coupang Fulfillment Services (CFS), is the largest ever in the country's history.

This is approximately 4.6 times the previous record fine of 134.791 billion won, which was imposed on SK Telecom (SKT) for a USIM information leak.

The fine ballooned to a record high because the regulator uncovered not only a massive personal data leak but also the collection and use of personal information without legal grounds, as well as privacy violations by its subsidiary.

The PIPC deliberated on several violations together, including: the leak of personal information due to negligent management of authentication signing keys and lax access controls; the unauthorized collection of members' online activity records on third-party websites and apps; and privacy violations by its logistics subsidiary, Coupang Fulfillment Services (CFS).

Consequently, a fine of 423.575 billion won and an administrative penalty of 16.8 million won were imposed for the data breach.

A fine of 201.106 billion won was imposed for collecting the online activity records of users on third-party websites and apps without legal grounds, while a fine of 248 million won was approved for CFS.

The fine for the data leak was exceptionally large because the scale of the leak far exceeded that of SKT, and Coupang's average annual revenue over the three business years prior to the incident—which served as the basis for calculating the fine—reached approximately 36 trillion won.

The PIPC calculates fines by taking the three-year average revenue, excluding revenue unrelated to the violation, and then applying factors such as the severity of the violation, aggravating factors, and mitigating factors.

In Coupang's case, revenue related to Coupang Play, Coupang Eats, and business-to-business (B2B) transactions was excluded.

"Although the maximum fine is set at 3% of revenue, it is designed to be calculated by considering all aggravating and mitigating factors, making it practically difficult to reach the maximum in reality," Chairperson Song said. "After careful consideration and discussion on the gravity of the matter and the scale of the damage, we did our best to hand down a fair and appropriate penalty corresponding to their responsibility."

In terms of the scale of the leak, Coupang's breach affected approximately 37.56 million people, which is over 14 million more than the 23.24 million affected in the SKT leak.

At Coupang, the personal information of 33.22 million members and at least 4.34 million non-member data subjects was leaked from April to November last year.

The PIPC explained that in determining the severity of the violation, it took into account that Coupang, a large-scale personal information processor with annual revenues exceeding 30 trillion won, neglected its authentication system and certificate signing key management, and failed to detect multiple anomalies, which led to the massive leak.

Non-cooperative behavior revealed during the investigation was also cited as a factor that increased the severity of the sanctions.

According to the PIPC, despite receiving an order to preserve evidence, such as access logs related to the incident immediately after the investigation began, Coupang manually deleted about five months' worth of web access logs.

Furthermore, the company failed to suspend its internal policy of automatically deleting logs after six months, allowing some application logs to be deleted.

In addition, the PIPC discovered that Coupang collected the online activity records of approximately 11.17 million members who accessed third-party websites and apps without their consent and stored them in a database in a format that could identify the users.

The information collected by Coupang included third-party website and app visit history (URLs and app names), access dates and times, and internet protocol (IP) addresses.

Additionally, the PIPC confirmed that CFS violated safety measure obligations under the Personal Information Protection Act during its personal data processing and imposed a fine.

The investigation revealed that CFS managed a list of reporters covering the National Police Agency as an employment restriction list and used workers' weight information during industrial accident lawsuits.

Meanwhile, the PIPC held a "marathon" deliberation lasting over 13 hours before deciding on the record-breaking fine.

According to the PIPC, the plenary meeting, which began at 10 a.m. on the previous day, June 10, did not conclude until close to midnight.

"The meeting was prolonged to give the respondents ample opportunity to present their statements," Chairperson Song said. "It took about five hours just for statements and Q&A sessions regarding the personal data leak, and about three hours were spent listening to opinions and conducting Q&As regarding other privacy violations, such as the collection of online activity records."

Regarding the decision to deliberate on the three agendas at the same time, Chairperson Song explained, "Since the plenary meeting is held twice a month, it is efficient to deliberate on them together. The investigations also wrapped up around the same time."

(Photo: Yonhap News)
※ Please note: This article was translated by AI and may contain errors.