South Korea Levies Record £318 Million Fine on Coupang After 37.5 Million Customer Data Breach

The South Korean Personal Information Protection Commission (PIPC) has issued a fine of 624.68 billion won (approximately £318 million) to Coupang, the US-based e-commerce platform that generates most of its revenue from South Korea. The fine, the largest ever levied by the PIPC for a data breach, was imposed due to Coupang's alleged violations of "safety obligations and collecting personal data without legal grounds."

The PIPC's investigation, which commenced in November following initial allegations, concluded that inadequate security measures were responsible for the exposure of customer information. These deficiencies included poor management of authentication signing keys and insufficient access controls, leading to the compromise of names, contact details, delivery information, and order histories for approximately 37.5 million users.

Coupang has expressed regret for the incident and indicated that it plans to challenge the PIPC's decision. The company stated that its explanations and preventative measures were not adequately considered in the commission's ruling, anticipating that "the facts will be clearly established through legal procedures" upon receipt of the official resolution.

The breach, believed to have originated from a server abroad as early as June, prompted the resignation of Coupang's boss, Park Dae-jun, with Harold Rogers subsequently appointed interim CEO. This incident follows a series of high-profile cybersecurity failures within South Korea, despite the country's stringent data privacy regulations. Notably, SK Telecom, the nation's largest mobile operator, was fined nearly £79 million last year for a data breach affecting over 20 million subscribers.