▲ Coupang
The Personal Information Protection Commission (PIPC) is set to hold a plenary meeting at the Government Complex Seoul today (June 10) to deliberate on sanctions against Coupang, following a data breach involving over 33 million records of personal information.
This comes approximately seven months after the news of Coupang's data breach first emerged in November of last year, drawing significant attention to whether the PIPC will impose a record-breaking fine.
Previously, in February of this year, a joint public-private investigation team under the Ministry of Science and ICT announced the results of its probe into the Coupang incident. The investigation confirmed that 33.67 million pieces of personal information, including user names and email addresses, were leaked through vulnerabilities in Coupang's "My Information Edit" page.
In April, the PIPC sent a pre-notification to Coupang detailing the violations of the Personal Information Protection Act and the planned disciplinary measures. Coupang requested an extension for submitting its response and subsequently provided its explanation.
It is reported that in its statement, Coupang expressed that it largely disagrees with the PIPC's findings.
The PIPC has been reviewing the statement and preparing for the deliberation until recently.
Industry experts suggest that, given the scale of the leak, Coupang could face the largest fine in the commission's history.
The current Personal Information Protection Act allows for the imposition of fines of up to 3% of total revenue in the event of a personal information leak.
Revenue unrelated to the violation is excluded from the calculation.
Coupang reported a revenue of 45.5 trillion won last year in its electronic disclosure system. A simple application of the law suggests a maximum potential fine of approximately 1.3637 trillion won.
However, this is a simple calculation based on the legal maximum; the actual fine will be determined by reflecting the scope of revenue related to the violation, as well as mitigating and aggravating factors.
To date, the largest fine imposed by the PIPC was 134.8 billion won, issued last year regarding a USIM information leak at SK Telecom.
Although an amendment to the Personal Information Protection Act, which includes a "punitive fine" clause allowing for fines of up to 10% of revenue in cases of large-scale leaks caused by intent or gross negligence, has passed the National Assembly, it is not applicable to this case as it is scheduled to take effect this September.
※ Please note: This article was translated by AI and may contain errors.