[DigitalToday reporter Chi-gyu Hwang (황치규)] The Personal Information Protection Commission imposed a 624.7 billion won penalty and a 16.8 million won fine on Coupang over a large-scale personal data leak last November. It cited violations of obligations to take security measures and the collection of personal information without legal grounds.

The fine amounts to 2 percent of sales.

The commission said 423.6 billion won was imposed for breaching security obligations related to the data leak and 201.1 billion won for the unauthorised collection of other companies' online activity information. It also imposed a separate 248 million won penalty on Coupang's logistics unit Coupang Fulfillment Services.

The commission calculated the penalty based on disclosed sales of Coupang Inc. in South Korea. Under the current Personal Information Protection Act, the cap is 3 percent of sales. From Sept. 11, a punitive penalty system will allow fines of up to 10 percent of sales if conditions are met, including leaks affecting more than 10 million people, serious and repeated incidents, or incidents caused by failure to comply with corrective orders. Coupang was subject to the 3 percent cap because the system had not yet taken effect.

For the leak, it applied average sales over the three years immediately before the incident, setting the base at about 30 trillion won. For the unauthorised collection of other companies' online activity information, it set the base at about 36 trillion won. The commission said it excluded sales from independent services unrelated to the violations, including Coupang Eats, Coupang Play and business-to-business operations, while fully including e-commerce-related sales.

Looking only at the fine ratio, the commission weighed heavily Coupang's breach of its security obligations.

Personal Information Protection Commission Chairperson Kyung-hee Song (송경희) pointed to two main issues in Coupang's security violations at a briefing. First was the management of certificate signing keys. "Coupang operated in a state where substitute certificate signing keys could be viewed in plain text, and it did not immediately renew or dispose of the key even after a former employee who had been able to access it left the company," Song said.

Second was inadequate intrusion detection. "It applied the same abnormal traffic threshold to pages containing personal information and general product pages, so it failed to detect a sharp rise in traffic during the attack period," Song said.

The commission said it also reflected the unauthorised collection of other companies' online activity information with significant weight in calculating the penalty.

The commission said Coupang distributed advertising tools to about 150,000 websites and apps while operating its affiliate marketing program, Coupang Partners. When Coupang members visited those sites, the visit time and URL were automatically stored in Coupang's database combined with the members' identification numbers, regardless of whether they clicked.

Coupang said it did not intend this, but the commission judged it to be intentional collection.

It added that Coupang's operation of a compensation program for victims of the leak was partly reflected as a mitigating factor.

The commission will also proceed with a separate complaint process against Coupang. It said that even after it ordered the preservation of evidence such as access logs immediately after launching its investigation, Coupang manually deleted about five months of app access logs and did not halt an internal policy of automatically deleting logs older than six months. The commission said it viewed this as intentionally obstructing the investigation and decided to pursue the complaint process in line with legal requirements.

After the commission's announcement, Coupang apologised for the data leak in a statement but said, "We regret that pre-emptive measures to prevent secondary 피해 and explanations based on clear facts were not sufficiently reflected in the Personal Information Protection Commission's decision."

It also said, "Coupang Partners is a program in which thousands of domestic creators, bloggers and small business owners recommend products and generate revenue, and it protects customer data and operates legally using the same affiliate model as other global companies." It added, "After receiving the official written resolution from the Personal Information Protection Commission, we expect that the facts will be clearly established through legal procedures."