6,246억 원의 경고장: 쿠팡이 쏘아 올린 개인정보 보호의 거대한 파문 > K-wave Trends

This incident began when a large amount of personal information of approximately 37.5 million people was leaked through hacking. As a result of the investigation, it was revealed that a former Coupang employee had stolen member information by abusing the internal authentication signature key, which proves how lax the company's most basic security system, access control, was. Hackers freely moved between members' edit pages and delivery address management pages to reorganize profiles, and even looked into extremely sensitive information such as purchase history of adult products and underwear to threaten companies. What's even more shocking is that even though Coupang was aware of the incident, it delayed its response by exceeding the legal notification deadline, and it was even discovered that there were systematic obstructions to the investigation, such as manually deleting log records that could serve as evidence during the investigation or neglecting the automatic deletion policy. This total insensitivity to security ultimately resulted in a massive number of victims, reaching 37.5 million people, and cast critical doubt on the company's data management capabilities.

It is not just a hacking incident, but the fact that Coupang has been collecting user data without legal basis is pointed out as a more serious problem. While operating the affiliate marketing program 'Coupang Partners', Coupang tracked and stored the activity records of 11.17 million people who used third-party websites or apps other than its own without consent. This is sensitive data that includes URL information, access IP, date and time, etc. about where users visit and what apps they use, and it carries the risk of inferring political and religious tendencies beyond the user's interests and tendencies. In addition, the fact that they did not properly manage and supervise partner companies that posted fraudulent advertisements, so-called 'kidnapping advertisements', and allowed service usage records to be collected regardless of the users' will, clearly shows their dereliction of responsibility as a platform company. In the end, it is difficult to avoid criticism that companies have degenerated into watchdogs that generate profits through data, rather than service providers for customers.

The deviant behavior of our affiliate, Coupang Fulfillment Service (CFS), also had a decisive influence on the calculation of this fine. CFS illegally collected the names of 71 reporters working at the National Police Agency who had no history of working at a distribution center and registered and managed them on an employment restriction list, which was considered an act that shook the foundation of the Personal Information Protection Act. In addition, it was revealed that the company violated regulations restricting the processing of sensitive information by submitting weight information collected in the name of managing employees' health to the court during industrial accident lawsuits. This series of actions is not simply a security incident, but suggests that there was no ethical awareness of personal information protection within the company. The Personal Information Commission compiled these various violations and decided on the highest level of sanctions ever, considering the scale of sales and the severity of the violation, once again reminding companies of the severity of data management.

Coupang expressed regret over this decision, claiming, “We are operating a partnership model in accordance with global standards and have done our best to prevent secondary damage.” Coupang's response to clarify the facts through legal procedures foreshadows a fierce legal battle over the appropriateness of the fine size in the future. But public opinion is indifferent. In a situation where 37.5 million people's personal information has already been leaked, the company's excuses are not helping much in restoring trust, and there are loud voices calling for acknowledging the loopholes in the internal security system and rebuilding the fundamental framework. The Personal Information Commission has also threatened to go beyond simply imposing fines and inspect every three months to ensure the personal information protection officer's actual authority is guaranteed and measures to prevent recurrence are implemented. This warns that if Coupang fails to use this incident as an opportunity to reestablish its security-centered corporate culture, trust in the market will plummet uncontrollably.