Massive info leakage fuels calls to rewrite compensation rules for misconduct in digital era
President Lee Jae Myung ordered a swift investigation Tuesday into the massive data breach at e-commerce giant Coupang and signaled that his administration may seek punitive damages to prevent similar lapses, calling the incident “astonishing” in scale and negligence.
At a Cabinet meeting, Lee criticized Coupang for failing to detect the breach for nearly five months following the initial intrusion in June, even as personal information belonging to an estimated 34 million users, including names, addresses and phone numbers, was siphoned out.
“It is shocking that the company failed to recognize the leak for five months despite the magnitude of the damage,” Lee said. He urged regulators to overhaul what he described as Korea’s entrenched practice of downplaying personal data protection, which he called “a key asset in the AI and digital age.”
Lee told ministries to enforce penalties under existing law and to advance discussions on adopting punitive damages, citing international examples. Korea currently operates strictly under a compensatory damages principle, meaning courts cannot award penalties that exceed the amount directly proven as harm — a framework critics say lets major corporations escape meaningful accountability.
Monthslong leak exposed millions
According to findings presented Tuesday by the Ministry of Science and ICT at a parliamentary session, the breach lasted from June 24 to Nov. 8. A review of Coupang’s server logs from July through November confirmed that private data from at least 30 million accounts had been accessed.
Second Vice Minister Ryu Je-myung said the attacker is believed to have exploited Coupang’s electronic signature key to penetrate internal servers. An unidentified individual later emailed the company claiming responsibility and alleging that information on roughly 30 million users had been leaked.
Speculation has circulated that a former Coupang employee — a Chinese national who has since left Korea — was involved. Ryu said the allegation remains unverified.
At the hearing, Coupang CEO Park Dae-jun clarified that the former employee in question was not responsible for authentication operations, but was a developer who had worked on the authentication system itself, responding to questioning by Rep. Shin Sung-beom of the ruling People Power Party.
Park added that the police investigation must determine whether the former employee played any role.
Seoul police said they have not confirmed the attacker’s identity and are currently tracking the internet protocol address used in the intrusion.
Coupang faces potential record fine
Coupang CEO Park, appearing at the parliamentary hearing, said the company “will not evade responsibility.”
Asked whether Coupang is prepared to pay an estimated 1.2 trillion won ($817 million) fine under the Personal Information Protection Act, Park replied that the firm intends to comply with the law.
Korea’s personal information law allows fines of up to 3 percent of a company’s total revenue for serious violations. Based on Coupang’s 2024 sales of 41 trillion won, the theoretical maximum penalty would exceed 1 trillion won, though the final amount is likely to be lower, depending on the agency’s assessment.
The current record for a data-leak penalty is 134.8 billion won, imposed on SK Telecom in August for a breach affecting 23 million customers.
Rep. Lee Hoon-gi of the ruling Democratic Party of Korea commented that despite being a giant in the industry, Coupang "is lax on fulfilling its social obligation"
Corporate governance questions resurface
The incident has reignited debate over Coupang’s corporate structure. While most of its operations and revenue are generated in Korea, Coupang is a subsidiary of Coupang Inc., a Delaware-based US holding company controlled by founder Bom Kim, a Seoul-born Korean American.
Kim has repeatedly declined requests to appear before the National Assembly, leaving Park, head of the Korea operation, to issue public apologies. The silence has fueled public frustration over what critics call a lack of accountability from top leadership.
Civic group People’s Solidarity for Participatory Democracy said Coupang has “sparked repeated controversies, including the deaths of overworked employees,” and has now “reached a pinnacle of negligence” with the data breach. It urged the company to overhaul its management structure and issue a formal apology from the leadership.
minsikyoon@heraldcorp.com
