Korea Fines Coupang Record $409 Million for Data Breach

A South Korean regulator fined the country’s largest e-commerce platform, owned by U.S.-listed Coupang Inc., a record 624.7 billion won ($409 million) for a wide-ranging cyber-intrusion that escalated into a diplomatic tiff with the U.S.

The Personal Information Protection Commission’s fine for Coupang Corp.—the company’s South Korean entity—is the biggest-ever levied by the country over a personal data breach. It easily surpasses the previous record of a 134.8 billion won penalty imposed on SK Telecom Co. just last year. Under Korean regulations, the regulator can impose fines of up to 3% of annual sales.

“This incident was caused not by a sophisticated hacking method, but by Coupang’s inadequate basic safety management system and negligent management,” said Kyung Hee Song, the chairperson of the regulator. “The company grew rapidly by using large-scale customer data to deliver innovative e-commerce services, but investigation found that its personal information protection and management systems failed to keep pace.”

Coupang, South Korea’s leading online retailing platform, has been under fire after regulators discovered a former employee improperly accessed personal information from nearly 34 million accounts, or about two-thirds of the country’s population, undetected for months.

Domestic backlash against Coupang plus multiple South Korean probes into its cybersecurity measures created friction with the US. After the breach, Greenoaks Capital Partners LLC, a major investor in Coupang Inc., urged the US government to investigate South Korea in January, over what it alleges is discriminatory treatment of the American-listed e-commerce company.

South Korean lawmakers have pushed back what they described as U.S. political pressure over the handling of Coupang and its executives. Coupang is incorporated in the US but operates one of South Korea’s most widely used e-commerce platforms.

Last month, the company warned revenue growth will slow this year after the company issued vouchers to customers in response to the breach. Its shares have shed about 35% since the start of the year.

Coupang said it regretted the regulator’s decision, which “did not fully reflect Coupang’s proactive measures to prevent secondary harm following last year’s data leak.”

“Once we receive the commission’s formal written decision, we hope the facts will be clearly established through the legal proceedings,” it added in a statement released after the decision was announced. Under Korean law, the company could still challenge the ruling in court.

Of the fine, 423.6 billion won was imposed for leaking personal data and 201.1 billion won for non consensual data collection, regulators said. They also imposed a separate 248 million won fine on Coupang Fulfillment Services, Coupang’s logistics subsidiary, for unlawfully collecting personal information and using it to place individuals on an employment restriction list.

Top photo: A Coupang Corp. logo outside a company’s fulfillment center building in Daegu, South Korea, on Monday, Feb. 6, 2023. Photographer: SeongJoon Cho/Bloomberg.