South Korea’s President has demanded significantly harsher penalties for corporate data negligence, following a massive leak of over 33 million customer records from e-commerce giant Coupang, the nation’s worst in a decade.
President Lee Jae-myung ordered a comprehensive review of existing fines and punitive damages for such cases during a cabinet meeting. He expressed shock that Coupang, a major online retailer, failed to detect the data breach for five months.
The severe security lapse has sent a “major alarm bell” across the country. It has also significantly impacted Coupang, whose shares listed on the New York Stock Exchange dropped by 5% overnight.
Coupang now faces a police investigation, potentially hefty fines, and class-action lawsuits. Under current South Korean law, companies failing to implement adequate data protection measures can be fined up to 3% of their annual revenue.
Given Coupang’s 2024 revenue of 38.3 trillion Korean Won, this could translate to a fine exceeding 1 trillion Korean Won, approximately $730 million.
President Lee emphasized the need to “completely change” the “wrong practices and ideas of not giving necessary importance to the protection of personal information.” He called personal data a “core asset” in the era of artificial intelligence and digital transformation.
Brett Matthes, Coupang’s Chief Information Security Officer, informed Parliament that the perpetrators obtained private encryption keys. This allowed them to generate fake tokens and impersonate customers.
Coupang CEO Park Dae-jun revealed that the primary suspect is a former engineer involved in the company’s authentication system development. He added that other individuals might also be implicated in the breach.
The leaked information includes customer names, email addresses, home addresses, and phone numbers. The number of affected individuals, over 33 million, exceeds Coupang’s active online retail user base of 24.7 million, suggesting historical data was also compromised.
The company, backed by Japan’s SoftBank Group, issued an apology for the incident. However, South Korean parliament members have called for Coupang’s Korean-American founder, Bom Kim, to apologize personally.
The breach is believed to have initially occurred in June, but Coupang only reported it to authorities in November. President Lee has pushed for rapid identification and punishment of those responsible.