South Korea’s privacy regulator has imposed a record fine of $408 million on e-commerce giant Coupang over a data breach that allegedly exposed the personal information of more than 30 million customers, a case that has also drawn criticism from United States lawmakers.
The Personal Information Protection Commission announced on Thursday that the New York-listed company leaked the personal data of more than 33 million customers and failed to notify authorities of the breach within the 72-hour period required under South Korean law.
According to the regulator, the incident was not the result of a sophisticated cyberattack but stemmed from inadequate security safeguards within the company.
“This accident occurred due to Coupang’s lack of safety measures and systems, not sophisticated hacking,” Song Kyung-hee, the chairperson of the privacy regulator, told a briefing on Thursday.
The commission further accused the company of failing to promptly inform affected users about the incident.
Coupang “delayed breach notifications”, Song said.
“As a result, those individuals were unaware of the breach and deprived of the opportunity to take steps to prevent secondary harm,” she said.
Following the announcement of the penalty, Coupang issued an apology to customers and the public for the concern caused by the data leak.
However, the company expressed disappointment with the regulator’s decision, arguing that its efforts to minimise the impact of the breach were not adequately considered.
“we regret that our proactive measures to prevent secondary harm from last year’s data leak incident, as well as our explanations based on clear facts, were not sufficiently reflected” in the regulator’s decision.
The Seattle-based company, which earns the majority of its revenue from South Korea, indicated that it plans to contest the penalty through legal channels.
The $408 million sanction is the largest data breach-related fine ever issued in South Korea, surpassing the previous record of $88 million imposed on mobile network operator SK Telecom last year.
The decision follows the findings of a government investigation conducted earlier this year, which concluded that management shortcomings contributed to the breach.
At the time, South Korea’s Ministry of Science and ICT reported that a former employee of Chinese nationality had allegedly stolen a security key and used it to gain unauthorised access to customer accounts.
The case has also become a source of tension between Seoul and Washington, with concerns emerging over the treatment of the US-listed company by South Korean authorities.
In April, South Korean lawmakers sent a joint letter expressing concern over what they described as “undue pressure” from US politicians regarding the investigation into the e-commerce company.
The letter, signed by nearly 100 lawmakers, came after several US Republican politicians accused South Korean regulators of engaging in “discriminatory regulatory actions” against American businesses.
According to Seoul-based IM Securities, Coupang controls roughly 40 per cent of South Korea’s logistics market, making it the country’s largest player in the sector.
“Coupang has grown its e-commerce service significantly based on vast customer data,” Song said.
“But the company did not have a system to protect and manage customer information despite its business scale.”
