Privacy regulator demands Coupang re-notify users of data breach

Seoul, Dec 3
The data protection regulator here said on Wednesday that e-commerce giant Coupang Inc. did not properly notify its customers of its recent major data breach, demanding a corrected notification of a personal information "leak" from an "exposure" of such data.

The Personal Information Protection Commission (PIPC) made the decision in an emergency meeting after the company said last week personal information of 33.7 million customers had been compromised, including names, addresses and phone numbers, reports Yonhap news agency.

While Coupang notified affected users of the breach, the PIPC said the company merely described it as personal information being exposed when it was aware that such data had been leaked.

The regulator said Coupang also partially omitted types of data affected while announcing the breach on its website for just one to two days.

It ordered the company to notify affected customers again of the leak, advise them of data protection measures, such as changing passwords, and reinspect steps to prevent harm to customers, among other measures.

It demanded Coupang submit the results of its measures within one week.

"(We) will swiftly and thoroughly investigate the circumstances, scope and items of Coupang's personal information leak, as well as violations of safety duties, and will make strict punishment if violations are found," it said in a release.

Meanwhile, the regulator said it strengthened the monitoring of illegal distribution of personal information on the internet and the dark web Sunday, which will last for three months.

Coupang is facing a wave of class-action lawsuits over its massive data breach that affected nearly 34 million customers. A law firm named Chung filed the first complaint against Coupang on Monday on behalf of 14 clients, seeking 200,000 won (about US$140) per person in damages. Many other law firms have also expressed their intention to participate in the class-action lawsuits and are now recruiting participants.

Considering past judicial precedents, however, the compensation awarded to users whose personal information was leaked was around 100,000 won per person, legal experts said on Wednesday.