South Korea’s Lee calls for tougher penalties after Coupang data breach

By Hyunjoo Jin and Heejin Kim

SEOUL, Dec 2 (Reuters) – South Korean President Lee Jae Myung on Tuesday called for increased penalties for corporate negligence in data breaches, saying ​a massive leak at e-commerce giant Coupang had served as a wake-up call.

The breach – ‌resulting in personal data for some 33 million Coupang customers being leaked – was South Korea’s worst in more than a decade. Coupang,‌ which saw its New York-listed stock tumble 5% overnight, is now grappling with a police investigation, potential hefty fines as well as a possible class-action suit.

Ordering a review of fines and punitive damages in such cases, Lee told a cabinet meeting it was “astonishing” that Coupang did not detect the breach for five months, adding those ⁠responsible must be quickly identified and held ‌accountable.

“The wrong practice and the idea of not giving necessary care for personal data protection, which is a key asset in the age of artificial intelligence and digitalisation, must be ‍completely changed,” he said.

Under current South Korean law, companies that fail to implement adequate data protection measures can be fined up to 3% of revenue.

That could mean a fine of more than 1 trillion won ($680 million) for Coupang,​ which reported 38.3 trillion won in revenue in 2024.

Coupang’s Chief Information Security Officer Brett Matthes told ‌a parliamentary hearing that the perpetrator obtained a private encryption key, which allowed them to generate a forged token to impersonate a customer.

“We do believe that this person, if it is the person, had a privileged role within the organisation that would have given him access to the key that has been taken,” Matthes said.

A former Coupang engineer who took part in developing the system’s authentication protocol is the suspected perpetrator, CEO Park Dae-⁠jun said, adding that other people may have been involved. ​Park did not name the person.

Coupang has apologised for the incident but ​members of parliament called for founder Bom Kim, a Korean American who established the company in 2010, to come forward and personally apologise.

Coupang, which is backed by Japan’s SoftBank Group,‍ has said customer names, ⁠email and home addresses and phone numbers were exposed by the data leak. The number of people affected by the breach far exceeds Coupang’s active users of its online retail services, which the company said ⁠was 24.7 million.

The breach is believed to have first occurred in June, but Coupang’s report to government authorities was made in November.‌

($1 = 1,469.65 won)

(Reporting by Hyunjoo Jin and Heejin Kim; Writing ‌by Jack Kim; Editing by Ed Davies and Edwina Gibbs)