A Complete Recap of the Coupang Data Breach, From Fines to Consumer Response

why the Coupang breach is so controversial

the recent breach of 33.7 million personal data records at Coupang has put the entire privacy regime in the spotlight. but it's not just the size of the breach that makes it so controversial - it's the fact that it tested the extent to which our systems can actually hold large platforms accountable.

the problem with notification methods

the first issue is how the incident was notified. the vice chairman of the Privacy Commissioner's Office emphasized in the National Assembly that it was problematic that Coupang notified them as a breach when it was obviously a leak, and emphasized the need for a clear explanation so that users are aware of exactly what happened.

repeated history of incidents

the second is the repetitiveness of the incidents. in 2020 and 2021, the information of 135,000 Coupang Eats delivery drivers was passed on to restaurants, and in 2023, the information of 22,000 customers was exposed due to an error in the merchant system. This has been repeated until this large-scale leak, leading to calls for stronger sanctions.

indemnification requirements and restitution

the third issue is the conditions for indemnification when calculating fines. the NIS has stated that partial exemption is possible only if all the criteria for safety measures are met, and the burden of proof is on the company. The method of compensating victims is also controversial. the National Assembly has requested a review of voluntary compensation, and Coupang's representative said he would actively consider it. the President's Office has also mentioned the need to strengthen punitive damages.

comparing the penalty calculation structure with overseas cases

under the Personal Information Protection Act, fines can be up to 3 percent of the previous three years' sales. based on Coupang's sales of 41 trillion won last year, a fine of up to 1 trillion won is theoretically possible. However, the actual amount of the fine will be determined based on a combination of the sales related to the breach, incident response, recurrence, and security level.

how is it done overseas?

internationally, revenue-based fines are applied much more aggressively. The EU has levied trillions in fines against Meta, Amazon, TikTok, and others through the GDPR, citing data transfers without user consent, overuse for advertising purposes, and failure to protect children's information. the UK ICO took action against British Airways and Marriott Hotels for neglecting security vulnerabilities and failing to check IT systems. the U.S. has a more class action-oriented structure, with Equifax paying up to $700 million for breaching the information of approximately 140 million people.

it has been pointed out that while the penalty cap itself is high in Korea, the actual level of enforcement is lower than overseas.

consumer anxiety and protection gaps

since the Coupang breach became public, reports of victimization have surfaced online, including attempts to log in from foreign IPs, access to unknown devices, and notifications of foreign payment authorizations. smishing texts and spam phone calls have also spiked, leading to a rapid increase in unsubscriptions and class action lawsuits. The number of class action channels has grown to over 30 and the number of participants has surpassed 500,000.

the problem was that consumers weren't being provided with basic follow-ups like password changes and two-factor authentication instructions, even though the risks were being identified in front of their eyes. the belated inclusion of sensitive information, such as shared front door passwords, in the breach also added to the anxiety. Experts point to the need for an immediate response system, including blocking international logins, real-time login notifications, enforcing two-factor authentication by default, and clarifying procedures for disclosing sensitive information.

a checklist for a secure digital environment

this breach has shown that privacy is not just a technology issue, it's a trust issue. both consumers and businesses need to change.

things consumers can do now include changing passwords and checking settings to block international logins. it's also important to make a habit of not storing more personal information on platforms than necessary. businesses need to prioritize practical steps such as disclosing information quickly and transparently in the event of a breach, protecting sensitive information, and strengthening real-time alerts and prevention systems.

you may also be interested in these articles: How to identify and respond to a data breach, a guide to setting up two-factor authentication, and how to recognize smishing texts.

frequently asked questions

Q. what are the actual fines for a data breach on Coupang?

A. Under the Personal Information Protection Act, the maximum penalty can be up to 3% of the previous three years' revenue, but the actual amount will be determined based on a number of factors, including the amount of revenue involved in the breach and the level of response. theoretically, it could be as high as 1 trillion won, but it is subject to mitigating circumstances.

Q. what are punitive damages?

A. Punitive damages are awarded up to five times the actual damages if a company is found to be intentionally or grossly negligent. if it is difficult to prove the amount of damages, statutory damages of up to 3 million won per person are also available.

Q. how do I unsubscribe from Coupang?

A. You can request to cancel your membership from the settings menu of the Coupang app or website. however, there are many complaints that the process is complicated, so we recommend that you check your order history and savings before canceling.

Q. how can I join the class action lawsuit?

A. We are currently recruiting class action participants through more than 30 channels, and the number of participants has exceeded 500,000. You can apply through official channels run by law firms or consumer organizations.

Q. what can I do to prevent secondary victimization?

A. Change your password immediately and set up two-step verification. it's important to activate your international login blocker and don't respond to texts or calls from unidentified sources.

wrapping Up

the Coupang data breach is a reminder of the security responsibilities of large platforms and the current state of consumer protections. change your passwords and set up two-factor authentication today. if you have any questions or experiences, please share them in the comments. and don't forget to subscribe and set up alerts for more helpful information.