No Payment or Secondary Damage… Can It Be a Mitigating Factor? Despite delayed and underreported notifications, which were controversial at the time, ‘The decision on measures against Coupang for the personal information leak incident involving over 33.67 million cases last November will be made as early as the 10th. With it being the largest leak incident among domestic companies, there is interest in whether the fines will be unprecedentedly high or whether the fact that sensitive information like payment details was not leaked will be considered when determining the fines.’
The Personal Information Protection Commission is holding a full meeting to deliberate on the disposition plan regarding Coupang’s personal information leak incident, approximately seven months after the incident occurred. In April, the Commission had sent a prior notice to Coupang containing legal violations and intended measures, and Coupang reportedly submitted an explanatory opinion. The Commission has been reviewing these opinions in preparation for deliberation.
According to a joint investigation report announced by the Ministry of Science and ICT in February, the leaked personal information from Coupang amounted to 33,678,817 records, including names, email addresses, and delivery addresses, surpassing last year’s USIM information leak by SK Telecom (23.24 million). Additionally, delivery addresses and contact details of family and friends registered by Coupang members were also compromised, suggesting that the actual number of affected citizens is much higher.
As a result, there is speculation that Coupang may receive the highest fine ever. The industry anticipates a fine two to three times greater than SK Telecom’s. Currently, the Personal Information Protection Act allows imposing fines up to 3% of sales for such incidents. With Coupang’s last year sales at 45.5 trillion won, a simple application would set the fine at about 1.3637 trillion won. However, the actual fine may not approach the statutory upper limit as it will consider sales relevant to the legal violation, mitigation, and aggravation factors. Even for SK Telecom, recognized for its remedial efforts, only 1% of sales or 134.8 billion won was fined.
Coupang emphasized that no secondary damage was confirmed, and sensitive information like financial or payment details, or USIM authentication keys, was not leaked. They also actively sought to retrieve personal information post-incident. The joint investigation also noted that they couldn’t confirm any external transmissions by the attacker and that there were no payment or secondary damages.
However, there was significant controversy as Coupang violated an order to preserve data for investigating the leak path by deleting five months’ worth of web access log records and also underreported the scale of the leak in their initial report.
The Personal Information Protection Commission has announced that they will apply mitigation and aggravation factors stringently. The Commission’s Chairman, Song Kyung-hee, stated in a briefing last month that responsibility for any wrongdoing according to the law will result in corresponding measures.
Recent personal information leak incidents at online video services like TVING and the CU convenience store parcel service are closely watching Coupang’s deliberation results. The amended Personal Information Protection Act, which allows fines up to 10% of sales, will not be applicable as it will take effect in September.