▲ Song Kyung-hee, chairperson of the Personal Information Protection Commission, holds a briefing on the decision to sanction Coupang at the Government Complex Seoul in Jongno-gu, Seoul, on June 11.
The fines imposed by the Personal Information Protection Commission (PIPC) on Coupang and its logistics subsidiary, Coupang Fulfillment Services (CFS), total nearly 625 billion won, marking the largest-ever amount in history.
This is approximately 4.6 times the previous record fine of 134.791 billion won, which was imposed on SK Telecom (SKT) for a USIM data leak incident.
The fine ballooned to a record high because the watchdog uncovered not only a large-scale personal data leak but also the unauthorized collection and use of personal information without legal grounds, as well as privacy violations by the affiliate.
The PIPC jointly deliberated on: ▲ the leakage of personal information due to negligent management of authentication signing keys and access controls; ▲ the unauthorized collection of members' online activity records on third-party websites and apps; and ▲ personal information violations by the logistics subsidiary, Coupang Fulfillment Services (CFS).
Consequently, a fine of 423.575 billion won and an administrative penalty of 16.8 million won were imposed for the personal data leak.
A fine of 201.106 billion won was imposed for collecting the online activity records of users on third-party websites and apps without legal grounds, while a fine of 248 million won was approved for CFS.
The fine for the data leak was exceptionally large because the scale of the breach far exceeded that of SKT, and Coupang's average annual revenue over the three business years prior to the incident—which served as the basis for calculating the fine—reached approximately 36 trillion won.
The PIPC's fines are determined by taking the three-year average revenue, excluding revenue unrelated to the violation, and then applying assessments of severity, as well as aggravating and mitigating factors.
In Coupang's case, revenues related to Coupang Play, Coupang Eats, and business-to-business (B2B) transactions were excluded.
"Although the maximum fine is set at 3 percent of revenue, it is designed to be calculated by considering all aggravating and mitigating factors, making it practically difficult to reach the absolute maximum," Chairperson Song said. "After deep deliberation and discussion on the severity of the matter and the scale of the damage, we did our best to hand down a fair and appropriate penalty corresponding to their responsibility."
In terms of the scale of the leak, Coupang's breach affected approximately 37.56 million people, which is over 14 million more than the 23.24 million affected in the SKT leak.
At Coupang, the personal information of 33.22 million members and at least 4.34 million non-member data subjects was leaked between April and November of last year.
The PIPC explained that it factored the severity of the violation into its decision, noting that Coupang, a large-scale personal data processor with annual revenues exceeding 30 trillion won, neglected the management of its authentication system and authentication signing keys, and failed to detect multiple anomalies, leading to the massive leak.
Uncooperative behavior revealed during the investigation was also cited as a factor that increased the severity of the sanctions.
According to the PIPC, Coupang manually deleted about five months of web access logs, despite being ordered to preserve evidence, including access records related to the incident, immediately after the investigation began.
Additionally, the company failed to suspend an internal policy that automatically deletes logs after six months, allowing some application logs to be deleted.
Furthermore, the PIPC discovered that Coupang collected the online activity records of approximately 11.17 million members who accessed third-party websites and apps without their consent, and stored them in a database in a format that could identify the users.
The information collected by Coupang included visit records of third-party websites and apps (URLs and app names), connection times, and connecting Internet Protocol (IP) addresses.
In addition, the PIPC confirmed that CFS violated safety measure obligations under the Personal Information Protection Act during its data processing and imposed a fine.
The investigation revealed that CFS maintained a list of journalists covering the National Police Agency as a blacklist for employment restrictions and used workers' weight information during industrial accident lawsuits.
Meanwhile, the PIPC held a "marathon" deliberation lasting over 13 hours before deciding on the record-breaking fine.
According to the PIPC, the plenary meeting, which began at 10:00 AM yesterday, June 10, concluded close to midnight.
"The meeting ran long to provide the respondents with sufficient opportunity to present their statements," Chairperson Song said. "It took about five hours just for statements and Q&A regarding the personal data leak case, and another three hours were spent on hearings and Q&A regarding personal information infringement cases, such as the collection of online activity records."
Regarding the decision to deliberate on all three agendas at once, Chairperson Song explained, "Since the plenary meeting is held twice a month, it is efficient to deliberate on them together. The investigations also happened to wrap up around the same time."
(Photo: Yonhap News)
※ Please note: This article was translated by AI and may contain errors.