The Personal Information Protection Commission (PIPC) has imposed a record fine of 624.68 billion won on Coupang for a massive data breach. The fine stems from multiple violations of the Personal Information Protection Act, including the unlawful collection of personal data and inadequate security measures.
On June 10, the PIPC held a plenary meeting where it decided to impose a fine of 624.68 billion won and an additional penalty of 16.8 million won on Coupang for failing to comply with safety obligations and violating laws related to the collection and use of personal data. The commission also issued corrective orders, public announcements, and recommendations for improvement, and referred the case for prosecution. Coupang's subsidiary, Coupang Fulfillment Services (CFS), was fined 248 million won for violations related to the collection and use of personal data and the handling of sensitive information.
The PIPC concluded that Coupang neglected basic safety management protocols, leading to the exposure of personal data belonging to approximately 37.5 million individuals.
The commission found that Coupang violated its obligations to notify individuals of data breaches and to properly dispose of personal data. It also noted that the company failed to ensure the independence of its Chief Privacy Officer (CPO) and delayed the submission of materials during the investigation, obstructing the inquiry.
Additionally, Coupang was found to have collected online activity records, including visit histories (URLs and app names), access times, and IP addresses of about 11.17 million users who accessed third-party websites and applications without any legal basis, storing this data in a personally identifiable format in its database.
The commission deemed it unlawful that Coupang allowed user activity records to be collected without the consent of users due to inadequate management and oversight of its advertising partners.
CFS was also found to have collected personal data from 71 police reporters without logistics center work experience, managing this information as part of an employment restriction list. Furthermore, it was revealed that the company submitted employees' weight information, collected for health management purposes, to the court during industrial accident lawsuits, violating regulations on the handling of sensitive information.
The PIPC ordered Coupang to strengthen its safety measures, notify individuals affected by data breaches, and ensure the effective role of its Chief Privacy Officer. The commission also recommended improvements to the handling of data for former members, the protection of individuals' choices regarding personalized advertising, and enhanced management systems to prevent false advertising, with plans to review compliance within three months.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.