South Korean regulator fines country’s largest e-commerce platform owned by US-listed companies Kupang Inc., a record 624.7 billion won ($409 million) for the large-scale cyber intrusion that escalated into a diplomatic spat with the United States.
Privacy Commission fine for Coupang Corp. – of the company’s South Korean unit – is the country’s largest in history for a personal data breach after being fined 134.8 billion won. SK Telecom Co. last year. Under Korean rules, the regulator can impose fines of up to 3% of annual sales.
“This incident was not caused by a sophisticated hacking method, but by Coupang’s inadequate basic security management system and careless management,” said Kyung Hee Song, chairman of the regulator. “The company grew rapidly by leveraging large-scale customer data to deliver innovative e-commerce services, but the investigation found that its systems for protecting and managing personal information were falling short.”
Coupang, South Korea’s leading online retail platform, has come under fire after regulators found that a former employee had improperly accessed personal information from nearly 34 million accounts, or roughly two-thirds of the country’s population, without detection for months.
The domestic backlash against Coupang plus numerous South Korean investigations into its cyber security measures created friction with the US. Following the breach of Greenoaks Capital Partners LLC, a major investor in Coupang Inc., urged In January, the US government will launch an investigation into South Korea over what it says is discriminatory treatment of an American e-commerce company.
South Korean lawmakers have pushed back what they described as political pressure from the US for working with Coupang and his leadership. Coupang is registered in the US but operates one of the most used e-commerce platforms in South Korea.
Last month, the company warned revenue growth will slow this year after the company issued vouchers to customers in response to the breach. Its shares are down about 35% since the start of the year.
Coupang said it regretted the regulator’s decision, which “does not fully reflect Coupang’s proactive measures to prevent secondary damage following last year’s data breach”.
“Once we receive a formal written decision from the commission, we hope that the facts will be clearly established in the course of the trial,” added the statement released after the decision was announced. Under Korean law, the company can challenge the decision in court.
Of the fine, 423.6 billion won was imposed for leaking personal data and 201.1 billion won for unauthorized data collection, regulators said. They also imposed a separate fine of 248 million won on Coupang Fulfillment Services, Coupang’s logistics arm, for illegally collecting personal information and using it to put people on the no-work list.
