Coupang faces possibility of record fine over massive data breach

Coupang Inc. faces the possibility of a record fine by the data protection regulator after the New York-listed e-commerce giant suffered a massive breach of customer information, according to industry sources Thursday.

The Personal Information Protection Commission (PIPC) has vowed stern action after Coupang said last week that the personal information of 33.7 million customers had been compromised, raising questions about the size of the fine the company could face.

Under the personal information protection law, companies that suffer personal information leaks can be fined up to 3 percent of their total sales, although sales from businesses unrelated to the violation can be excluded.

Based on Coupang's sales last year of 41 trillion won (US$27.8 billion), the company could have a fine of up to 1.2 trillion won imposed.

Related

• Gov't says Coupang's electronic signature key exploited in data breach; attack lasted from June-Nov.
• Korea's largest online retailer Coupang apologizes to 34M customers for data breach
• NYSE-listed Coupang posts record performance in second quarter

In August, the privacy watchdog fined wireless carrier SK Telecom Co. a record 134.8 billion won over a data breach that affected 23 million users.

While it marked the highest-ever penalty levied by the regulator, it fell far short of the highest possible amount that could have been imposed of over 300 billion won.

"As there is room for discretion in granting leniency, (we) will make a strict judgment according to the seriousness of the matter," PIPC Chairperson Song Kyung-hee told lawmakers about Coupang's potential fine during a parliamentary national policy committee session Wednesday.

The regulator has maintained a stern stance on Coupang's data breach, demanding the company to re-notify its users of the leak, taking issue with its earlier notification that appeared to downplay the incident as an "exposure" of personal data.

Meanwhile, Coupang's breach has raised questions whether its Personal Information and Information Security Management System (ISMS-P) certification given by the privacy watchdog and the science ministry could be revoked.

Song told the committee it would look into whether Coupang's practices met the certification's standards, and revoke it if major violations are found. No company so far has had their ISMS-P certification canceled.

Copyright (c) Yonhap News Agency prohibits its content from being redistributed or reprinted without consent, and forbids the content from being learned and used by artificial intelligence systems.