This article is a contribution by Attorney Hee-chul Ahn of DLG Law Firm. If you would like to share quality content for startups in the form of a contribution, please contact the Venture Square editorial team at editor@venturesquare.net .
[ Legal Issues in Anbyeon] Coupang's Personal Information Leak: Corporate Responsibility and Customer Rights
I received a message from Coupang, my daily customer service, informing me that all my personal information had been compromised. They even claimed that the password to my apartment's shared entrance had been leaked. It's unbelievable.
A series of large-scale personal information leaks, particularly at major domestic companies, have occurred in recent years, raising concerns that Korea's personal information protection system is fundamentally undermining. Following data breaches at the nation's three major telecommunications companies—SKT, KT, and LG Uplus—Coupang has now reportedly suffered a massive customer data breach. While data breaches were previously considered to primarily affect financial institutions and major telecommunications companies, this latest incident clearly demonstrates that platform companies are no longer immune from privacy concerns. Coupang, a leading e-commerce platform that has long held and processed the data of tens of millions of customers, carries a significant burden in terms of both scale and impact compared to previous incidents.
Looking at Coupang's personal information breach to date, approximately 33.7 million customer accounts were compromised, including customer names, phone numbers, email addresses, shipping addresses, and order information. However, Coupang claims to have been unaware of the leak for over five months. According to Coupang's announcement, the company first became aware of the leak on November 19, 2025, and filed its first report to the Personal Information Protection Commission on November 20. As the situation grew, the government took the matter seriously and held an emergency meeting chaired by the Minister of Science and ICT. They also established a public-private joint investigation team on November 30 to urgently prepare countermeasures. Based on what has been confirmed so far, this personal information breach appears to have been an insider's leak, making it different from the hacker-induced breaches that occurred at the three major telecommunications companies.
In this situation, it's important to review the Personal Information Protection Act and other laws related to personal information to determine what measures are in place to prevent personal information leaks and minimize the damage they cause. The Personal Information Protection Act defines entities that process personal information for business purposes as "personal information processors" and imposes obligations on them to take technical, managerial, and physical measures to prevent the loss, theft, leakage, forgery, alteration, or damage of personal information. This applies equally regardless of a company's size or the amount of personal information it holds. This applies not only to companies with massive data sets like Coupang, but also to small startups handling information on dozens of customers and SMEs that only process simple internal personnel information. The obligation to take safety measures, as stipulated in Article 29 of the Personal Information Protection Act, is a core norm that all companies must adhere to as long as they process personal information.
There are three key issues to consider in the recent Coupang personal information leak. First, whether Coupang adequately implemented its legally mandated security measures. This includes not only technical measures but also administrative and physical measures, such as internal employee management, access control, and log management. Second, whether Coupang faithfully implemented the immediate response required by law, such as notifying customers and reporting the leak to the Personal Information Protection Commission or the Korea Internet & Security Agency within 72 hours of becoming aware of it. Third, whether the response measures were sufficient and prompt to minimize customer damage and whether the company transparently disclosed measures to prevent recurrence. Especially for large-scale platform companies like Coupang, given their significant impact on social trust, proactive measures beyond the minimum required by law are essential.
The first legal obligation that applies when a personal information leak occurs is the notification obligation stipulated in Article 34 of the Personal Information Protection Act. This notification obligation stipulates that companies must notify the relevant data subject of the leak within 72 hours of becoming aware of the leak, even if it's just one individual. For large companies like Coupang, where the number of data subjects confirmed to have been leaked could range from millions to tens of millions, individual notification may be technically challenging. However, even in such cases, the Personal Information Protection Act stipulates that companies must first notify individuals through a website announcement or other means, and then continue to provide additional individual notifications to the extent possible. Even if the specifics, timing, or circumstances of the leaked personal information are not yet clearly identified, companies must first notify individuals to the extent possible, and then provide additional notifications as information becomes available.
At the same time, personal information processors also have a reporting obligation. As personal information processors, companies must report to the Personal Information Protection Commission or the Korea Internet & Security Agency (KISA) within 72 hours of a leak of personal information of 1,000 or more individuals, sensitive information (such as health information) that poses a significant risk of infringement on the privacy of data subjects, unique identifiers (such as resident registration numbers or passport numbers), or a leak caused by external attacks such as hacking. This report, like the notification, must include the details of the leak, the circumstances surrounding the leak, and the measures taken.
Coupang is likely to face rigorous scrutiny to determine whether it has met all of these legal obligations, and if it is found to have violated its safety measures or its notification and reporting obligations, the legal liability could be very severe. The Personal Information Protection Commission can impose fines of up to 3% of total sales on companies that violate safety measures, which is a substantial burden for a company like Coupang, with annual sales reaching trillions of won. In the case of the previous SKT personal information leak incident, the Personal Information Protection Commission imposed a fine of 134.7 billion won (approximately $139 million USD) on SKT. However, this incident is not only a larger-scale personal information leak than that of SKT, but also a greater degree of responsibility, as it was committed by an insider at Coupang. Therefore, it is difficult to rule out the possibility of an even larger fine being imposed.
Meanwhile, in the event of a personal information leak, the company may be held civilly liable for damages suffered by the data subject, and if intentional concealment or false reporting is confirmed, criminal liability may also arise. It is noteworthy that Article 39 of the Personal Information Protection Act stipulates, "If a data subject suffers damage due to an act by a personal information processor in violation of this Act, the personal information processor may claim compensation for the damage. In this case, the personal information processor cannot avoid liability unless it proves that there was no intent or negligence." Therefore, it is not the data subject who suffered the damage who must prove the intent or negligence of the personal information processor, but the personal information processor who must prove that there was no intent or negligence on their part. In other words, considering the provisions of the Personal Information Protection Act, Coupang must provide detailed evidence regarding the security systems it had in place, whether access controls were properly implemented, whether the leak detection system functioned normally, and whether internal employee authority management was appropriate.
Moreover, under Article 39-2 of the Personal Information Protection Act, victims can now seek statutory damages of up to 3 million won without proving the company's negligence. This significantly strengthens victims' rights. However, since damages of around 100,000 won were typically awarded in previous personal information leak cases, the practical benefit of filing a lawsuit is low for individual victims. For example, in the 2024 Modutour personal information hacking incident, the Seoul Central District Court sentenced each victim to 100,000 won in damages in August 2025, and in the 2016 Interpark personal information leak incident, a settlement was reached where each victim was to be awarded 10,000 won.
The Coupang incident provides a clear lesson not only for large platform companies but also for startups. Personal information protection is not simply a legal obligation, but a corporate survival strategy. Many startups often have a few developers build their own servers in-house, failing to even systematically maintain personal information access logs. However, the moment they handle personal information, they are subject to the same legal obligations as large corporations, regardless of their size. Encryption, minimal access rights, regular security training, and the obligation to oversee and manage outsourced vendors are not exempt from startups. Personal information leaks are not only a technical issue but also a legal and social trust issue. Customers entrust their information to companies, trusting their expertise and safeguards. When this trust is eroded, a company's brand value and business competitiveness are severely damaged. The Coupang incident is a case that once again demonstrates this reality, serving as a crucial warning to both companies and consumers.
Meanwhile, as technology advances, the battle between the shield that strengthens security and the spears of hackers is intensifying. In this context, the government needs to adopt a more strategic approach to policy. Recognizing that the sharper the spear, the greater the risk of hacking, and sometimes even its inevitability, the government should impose strong and strict fines and penalties for personal information leaks caused by corporate negligence. However, it should also actively mitigate penalties for proactive measures taken to prevent further damage after the leak. In other words, the government should impose a stick for leaks and a carrot for preventing damage, ensuring the maximum protection of the personal information of each data subject.
Inquiry for information
Attorney Heechul Ahn 010-9135-4773 / heechul.an@dlglaw.co.kr
Simharu, Senior Manager, PR Marketing Team 010-9458-6068 / ru.sim@dlglaw.co.kr
You must be logged in to post a comment.