Coupang faces possibility of record fine over massive data breach
Coupang Inc. faces the possibility of a record fine by the data protection regulator after the New York-listed e-commerce giant suffered a massive breach of customer information, according to industry sources Thursday, Yonhap reports.
The Personal Information Protection Commission (PIPC) has vowed stern action after Coupang said last week that the personal information of 33.7 million customers had been compromised, raising questions about the size of the fine the company could face.
Under the personal information protection law, companies that suffer personal information leaks can be fined up to 3 percent of their total sales, although sales from businesses unrelated to the violation can be excluded.
Based on Coupang's sales last year of 41 trillion won (US$27.8 billion), the company could have a fine of up to 1.2 trillion won imposed.
In August, the privacy watchdog fined wireless carrier SK Telecom Co. a record 134.8 billion won over a data breach that affected 23 million users.
While it marked the highest-ever penalty levied by the regulator, it fell far short of the highest possible amount that could have been imposed of over 300 billion won.
"As there is room for discretion in granting leniency, (we) will make a strict judgment according to the seriousness of the matter," PIPC Chairperson Song Kyung-hee told lawmakers about Coupang's potential fine during a parliamentary national policy committee session Wednesday.
The regulator has maintained a stern stance on Coupang's data breach, demanding the company to re-notify its users of the leak, taking issue with its earlier notification that appeared to downplay the incident as an "exposure" of personal data.
Meanwhile, Coupang's breach has raised questions whether its Personal Information and Information Security Management System (ISMS-P) certification given by the privacy watchdog and the science ministry could be revoked.
Song told the committee it would look into whether Coupang's practices met the certification's standards, and revoke it if major violations are found. No company so far has had their ISMS-P certification canceled.
Earlier, Qazinform reported that one of South Korea’s largest e-commerce companies, Coupang, had confirmed a large scale leak of personal data that affected 33.7 million users.