top of page
Search

South Korea’s Coupang fine

  • Writer: Katarzyna  Celińska
    Katarzyna Celińska
  • 2 days ago
  • 2 min read

South Korea has imposed a 625 billion won fine, around USD 409 million, on Coupang after a major customer data breach and findings related to unlawful personal data collection.

 

According to Reuters, this is the largest data breach penalty ever imposed on a company in South Korea. The Personal Information Protection Commission said that Coupang leaked personal data of more than 33 million customers and failed to detect the breach within the 72-hour notification window required by law.

 

 

✅ The chairperson of the privacy regulator stated that the incident was caused by Coupang’s lack of safety measures and systems, not by sophisticated hacking. Reuters also reported that a government-led investigation blamed the breach on management failure.

 

Painting by vectorjuice na Magnific



Regulators are no longer looking only at whether a breach happened. They are looking at whether the organization had adequate governance, controls, monitoring and response capabilities before the breach.

 

✅ A former employee allegedly stole a security key and gained unauthorized access to customer accounts. The regulator said Coupang’s security system allowed access to personal information even after the suspect had left the company. The company also reportedly failed to detect unusual traffic to customer data until it was alerted by a customer inquiry.

 

This raises several uncomfortable questions:

➡️ Was access properly revoked after employment ended?

➡️ Were secrets and security keys managed and rotated?

➡️ Were privileged access controls sufficient?

➡️ Was unusual access to customer data monitored?

➡️ Were alerts meaningful and actionable?

➡️ Was there a breach detection process?

➡️ Did the scale of the business match the maturity of the data protection program?

 

The regulator found that Coupang’s marketing program illegally collected information on the online activities of around 11 million customers without their agreement.

 

✅ Data protection maturity must grow at the same speed as business scale.

If an organization processes data of tens of millions of customers, it needs mature controls.


 
 
 

Comments


Stay in touch

META FOR MENA Information Technology Consultants Est.

City Avenue, 7th floor, office 706-0114

2 27 Street, Port Saeed, Deira, Dubai, United Arab Emirates
P.O. BOX: 40138
Licence N.O.: 1049080

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page