the Coupang data breach has sparked a debate about penalties. we summarize the criteria for calculating fines under the Personal Information Protection Act, domestic and international cases, punitive damages and class action lawsuits, and how companies can protect themselves and consumers.

case overview and response

a few weeks ago, a Coupang user was surprised to receive a notification that someone from overseas was attempting to log in to her account. Coupang then announced a breach of more than 33.7 million customer and seller personal information. This massive breach was not only shocking in itself, but also put to the test the extent to which our privacy protection system can hold companies accountable and sanction them.

under the Personal Information Protection Act, violating companies can be fined up to 3% of their revenue for the three previous years. given the size of Coupang's sales (around 41 trillion won), the fine could theoretically exceed 1 trillion won, but the actual amount is determined by a combination of the proportion of sales related to the breach, the company's response efforts, and measures to prevent recurrence. another point of contention is that Coupang will have to prove that it has properly implemented security measures beforehand in order to receive a partial reduction.

at the heart of the controversy: notification methods and repeat incidents

there are two areas of particular controversy in this case. first, the mannerof notification. coupang referred to the incident as a "disclosure of some information," but the Personal Information Protection Authority pointed out that it should be clearly labeled as a "leak" so that consumers are aware of the risk. Second, the repetitivenessof the incident. in the past, Coupang has experienced incidents such as misdelivery of personal information of delivery drivers and information leakage due to merchant system errors. considering the successive incidents, there are calls for stricter sanctions this time around.

legal Penalties and Overseas Cases

the Coupang case has drawn attention to the scale of legal penalties. the maximum penalty under the Personal Information Protection Act is the aforementioned 3% of sales. although the cap itself is high in Korea, the actual penalty is relatively low compared to overseas cases. The EU General Data Protection Regulation (GDPR) has imposed trillions of dollars in fines on global companies such as Meta, Amazon, and TikTok for processing personal data without user consent and failing to protect children's information. The UK ICO has also imposed fines on British Airways (BA) and Marriott Hotels.

in the US, class actions and settlementsare more prevalent than administrative enforcement. in 2017, Equifax paid a settlement of up to $700 million for the breach of personal information of about 140 million people. Currently, a punitive damages lawsuit against the company is being prepared in a US court for the Coupang breach. in other countries, high penalties are imposed not only based on the size of the breach, but also on the nature of the breach, such as corporate negligence and violation of child protection obligations.

consumer protection and response

after the breach was disclosed, consumer anxiety grew. online communities were flooded with notifications of overseas login attempts and abnormal payments, and the number of smishing texts skyrocketed. Many users considered canceling their accounts, and hundreds of thousands joined class action lawsuits.

on the consumer side, basic security habits like changing passwords frequently, enabling two-factor authentication, and turning on international login blockers are key. businesses need to communicate breaches quickly and transparently, and implement practical safeguards such as encrypting sensitive information and real-time login notifications. This incident has highlighted the lack of secondary damage prevention after a breach.

conclusion

the Coupang data breach demonstrated that it's not just about technology, it's about trust. regardless of legal sanctions, companies need to strengthen their own privacy protection systems, and consumers need to be diligent in their security habits, such as password management. Fines and punitive damages, as well as the supplementation of privacy policies, will also be important to watch in the future. ultimately, a secure digital environment will require the efforts of both businesses and consumers.

let us know in the comments if you have any questions!

frequently Asked Questions (FAQ)

Q1: How can I find out if my personal information was compromised by Coupang?
the specific information that was compromised on Coupang is not publicly available, so it's difficult for individuals to verify. instead, you can check your Coupang account login history, payment history, and more. keep an eye out for any unusual login notifications or payment texts, and change your password immediately if there are any suspicious signs.

Q2: How do I get compensated for the breach?
at this time, Coupang has not announced a specific compensation plan. The government is encouraging companies to make voluntary reparations, and victims are preparing for class action lawsuits. we recommend that you gather evidence of your losses (e.g., fraudulent charges, sms texts, etc.), and you can participate in the compensation process as guided by Coupang or the court at a later date.

Q3: What is the difference between a class action lawsuit and punitive damages?
a class action lawsuit is a lawsuit filed by a group of individuals who have suffered the same harm against a business. punitive damages are awarded up to five times the actual damages when a company is found to be intentionally or grossly negligent. korea has not yet fully adopted punitive damages, but this case has spurred discussion.

Q4: How can I cancel my membership with Coupang?
you can cancel your membership from the app by going to MyCoupon > Manage Personal Information > Cancel Membership, verifying your identity and checking your unfulfilled orders. the process can be complicated, so please follow the instructions and take your time.