[Alpha Biz= Kim Jisun] Lee Jeong-ryeol, Vice Chair of South Korea’s Personal Information Protection Commission (PIPC), said on December 2 that the agency is actively reviewing the possibility of imposing a fine exceeding KRW 1 trillion against Coupang in connection with the leak of 33.7 million user accounts.
At a parliamentary hearing of the Science, ICT, Broadcasting and Communications Committee, Democratic Party lawmaker Cho In-cheol asked whether fines could exceed KRW 1 trillion. Vice Chair Lee responded, “Since this case constitutes a data leak, it falls within the scope of administrative fines. We are reviewing it as a key focus.”
He added that partial exemption from liability is possible only if a company proves it met all security requirements—an evidentiary burden that lies with Coupang. The commission will consider not only the company’s confirmed revenue base but also the severity of the violation when determining the final penalty.
Under Korea’s Personal Information Protection Act, regulators can impose fines of up to 3% of a company’s total revenue for data leaks, excluding revenue unrelated to the incident. Based on Coupang’s 2023 revenue of KRW 41 trillion, the maximum fine could exceed KRW 1.2 trillion.
Lawmakers criticized previous fines imposed on Coupang—which totaled only KRW 1.6 billion across three earlier leak cases—as too lenient. Lee acknowledged, “Those penalties were small. We will actively review measures to hold companies strictly accountable in proportion to the seriousness of violations.”
In response to concerns that Coupang had obtained ISMS-P certification twice despite repeated breaches, Lee said the commission has formed an internal task force and is in the final stages of reviewing broad reforms. These include introducing pre-assessment procedures, strengthening post-monitoring, and enabling revocation of certification when serious deficiencies are identified.
Alphabiz Reporter Kim Jisun(stockmk2020@alphabiz.co.kr)
