Coupang Fined $4.7 Billion for Data Breach Affecting 37.5 Million Users

The Personal Information Protection Commission has imposed a fine of 6.247 trillion won (approximately $4.7 billion) on Coupang, marking the largest penalty ever related to a single data breach incident. The breach affected a staggering 37.5 million individuals, compromising personal information including names, email addresses, home addresses, phone numbers, shared entrance codes, and order histories. Additionally, the company was found to have collected online activity records of 11.17 million users without legal justification. While the size of the fine underscores the seriousness of the situation, the core issue lies deeper than mere numbers: it reflects a failure to adequately protect customer data.

In the digital economy, personal information is one of the most critical assets for companies. More accurately, personal data is not a corporate asset but a customer right. Companies do not own this information; they are entrusted with its management. Therefore, data protection transcends a simple legal obligation; it represents the fundamental trust contract between a business and its customers.

The severity of this incident is heightened by the Commission's identification of the cause as a lack of basic safety management systems and negligence, rather than advanced hacking techniques. This incident was not the result of a sophisticated national-level cyberattack but rather a failure of fundamental management protocols. If issues arose in the most basic areas of data protection, such as managing authentication keys, access control, and internal monitoring systems, it indicates a managerial problem rather than a technical one.

Particularly concerning is the exclusion of the Chief Privacy Officer (CPO) from the investigation and decision-making processes. The CPO is the ultimate authority responsible for overseeing data protection within a company. If this role was merely ceremonial, it suggests that the data protection system was not functioning properly. The Commission's classification of this as not just a lack of internal communication but a hollowing out of the system underscores the gravity of the situation.

Another alarming aspect is the unauthorized data collection. Investigations revealed that Coupang stored user activity records from third-party websites and apps in a manner that could identify individuals. While it is a global trend for platform companies to enhance services through data utilization, such practices must be grounded in user consent and legal justification. When personal rights are violated in the name of convenience and innovation, a platform's competitive edge shifts from genuine innovation to monopolistic data collection capabilities.

This incident is not solely a Coupang issue; it serves as a warning for numerous platform and online service companies to reflect on their practices. The more customer information a company possesses, the greater its responsibility. As companies grow, data protection should become a core value of management rather than a cost. For companies holding personal information of millions, prioritizing security investments, internal controls, and the independence of data protection organizations is essential.

The fine of 6.247 trillion won is significant, but the issue extends beyond monetary penalties. The damage caused by a data breach cannot be remedied simply by paying a fine. Once information is leaked, it cannot be reversed, and the repercussions can last for an extended period. It is crucial to remember that the information entrusted to a company by customers is not merely a product but a testament to trust.

Coupang should not view this incident as a mere legal sanction. It must follow through with thorough investigations, responsible apologies, and effective measures to prevent recurrence. The government, too, should continuously enhance the effectiveness of data protection systems and strengthen corporate accountability.

In the digital economy, competitiveness is determined not by the volume of data but by the level of trust. Companies that fail to protect customer data ultimately cannot maintain customer trust. This is the most profound lesson left by the Coupang incident for our society.