More than 30 million cases of personal information were leaked in a large-scale data breach at Coupang. This exceeds the economically active population of 29.69 million, making it the worst data breach in history. Behind the apology text message from Coupang regarding the data breach on the 1st, a Coupang signboard installed at Coupang headquarters can be seen.

원본보기 아이콘

Did you also receive this text message that leaves you sighing?

There is growing attention on how Coupang will establish a compensation system for the customers affected by the unauthorized exposure of 33.7 million cases of personal information.

This Coupang breach is considered more serious than previous incidents because it includes not only general personal information such as names, phone numbers, and emails, but also address book data (recipient names, phone numbers, and addresses).

ChatGPT Generated Image

원본보기 아이콘

Cases where address information is leaked are rare even in Korea, raising concerns about smishing and delivery scam crimes, phishing calls, spam advertisements, and even the risk of in-person crimes based on actual addresses.

The leakage of address book data is a much more sensitive issue than a simple account information leak, so there is a possibility that the level of compensation and protective measures Coupang will need to provide will be set higher than in previous platform incidents.

According to the retail industry on December 4, Daejun Park, CEO of Coupang, appeared before the National Assembly's Political Affairs Committee the previous day and stated, "Once the extent of the damage is confirmed, we will come up with a reasonable plan," adding, "We will actively consider compensation for the victims."

Daejun Park, CEO of Coupang, attended the plenary session of the National Assembly's Science, Technology, Information and Broadcasting and Communications Committee held on the 2nd and responded to inquiries. On the right is Brett Mattis, CISO of Coupang.

원본보기 아이콘

Given the precedents of major domestic data breaches, it seems likely that Coupang will also follow a three-step compensation structure: providing monitoring services, offering voluntary compensation such as coupons, and monetary compensation through class action lawsuits.

In large-scale data breaches, the first actions companies typically take are strengthening account protection measures and providing information monitoring services. For example, after Interpark's 2016 breach, the company provided two years of free monitoring services, and in 2023, LG Uplus supported affected customers with identity verification history checks and enhanced account protection measures.

Since the Coupang case involves address book leakage, it is possible that even more robust monitoring will be provided compared to previous cases.

For instance, this could include alerts for suspected smishing or phishing messages, detection of suspicious transactions using personal information, and preemptive security notification services.

Additionally, Coupang may introduce separate account protection features for membership customers by leveraging its "Wow Membership" ecosystem.

In Korea, it is extremely rare for companies to choose direct cash payments for personal information leakage damages. Most compensation has taken the form of non-cash benefits such as coupons, points, membership fee reductions, or free service vouchers. For example, in 2016, Interpark provided shopping coupons (worth 10,000 and 30,000 won), and in 2017, YogiYoTta implemented enhanced account security and guidance measures. In 2011, Nate and Cyworld offered security programs and monitoring services.

Given Coupang's established Wow Membership ecosystem, service-based compensation such as membership fee reductions or extensions, free shipping vouchers, shopping cart discount coupons, or exclusive benefits for Rocket Delivery are considered realistic options. This approach allows the company to minimize costs while maximizing customer satisfaction, making it the most common form of compensation in large-scale data breaches.

원본보기 아이콘

Actual monetary compensation is ultimately expected to be possible only through class action lawsuits.

In major data breaches, substantial monetary compensation has typically been awarded only through court rulings.

There are almost no cases of companies voluntarily providing cash compensation. According to major domestic case precedents, Nate and Cyworld paid damages of 300,000 to 400,000 won per person in 2011, and Interpark compensated 100,000 won per person in 2016.

The following year, some YogiYoTta customers were awarded damages, and HanaTour paid small amounts of compensation.

The amount of compensation depends on the sensitivity of the leaked information, whether the company was at fault or negligent, the scale of the breach, and the sincerity of the company's response afterward. Since the Coupang incident includes address book data, there is growing speculation that the standard for damages may be set higher than in previous cases.

Currently, consumer groups are already preparing class action lawsuits, and if the number of participants reaches hundreds of thousands or even millions, the total compensation amount is expected to be substantial.

원본보기 아이콘

Under the Personal Information Protection Act, fines are administrative penalties, while customer compensation is a civil liability.

Therefore, even if Coupang is fined hundreds of billions to 1 trillion won, the amount of compensation paid to customers is not directly linked. Voluntary compensation such as monitoring services or coupons provided by the company are measures aimed at customer satisfaction and public opinion management, while monetary compensation is determined separately through civil lawsuits.