Penalty imposed for data breach affecting 37.5 million people and unauthorized tracking of 11.2 million A red light is illuminated at a crosswalk near Coupang's Korean headquarters in Seoul. (Im Se-jun/The Korea Herald) South Korea’s privacy watchdog has imposed a record 624.68 billion won ($409 million) fine on Coupang over a massive data breach and unauthorized tracking of users’ online activity.The Personal Information Protection Commission said Thursday the penalty was approved at a plenary meeting the previous day after it found that the e-commerce giant had failed to maintain basic safeguards for customer data, citing poor management of authentication signing keys and weak access controls.The penalty is the largest ever imposed by a Korean government agency on a company over a data breach, surpassing the previous record set in August last year when SK Telecom was fined 134.79 billion won and ordered to pay 9.6 million won in administrative penalties over a hacking incident.For comparison, Ireland’s Data Protection Commission fined Meta 265 million euros ($306 million) in 2021 after the personal data of 533 million users was exposed.The fine on Coupang is roughly equal to the $473 million in operating profit that the company recorded last year.The regulator said Coupang’s security lapses led to the leak of personal information belonging to some 37.5 million people, raising the scale from an earlier government-led probe in February that found 33.67 million compromised records, including names and email addresses. Of the total penalty, 423.58 billion won was imposed over the breach, along with 16.8 million won in administrative fines.The PIPC also found that Coupang failed to notify affected individuals, neglected its obligation to delete personal data, failed to ensure the independence of its chief privacy officer and interfered with the regulator’s inquiry. It ordered the company to strengthen data security controls, notify affected nonmembers and give its chief privacy officer greater independence and authority.Separately, the PIPC found that Coupang collected online activity records from about 11.17 million members when they visited third-party websites and apps and stored the data in a way that could identify individual users. The records included website and app visit histories, URLs, app names, access times and IP addresses.The commission imposed an additional 201.11 billion won fine over the practice and ordered Coupang to improve transparency in its data processing, provide users with meaningful choices over personalized advertising and strengthen supervision of advertising partners. The regulator also said Coupang failed to properly oversee partners that ran so-called “hijacking ads,” leading to the collection of users’ Coupang service usage records without their consent.“We apologize for causing concern to customers and the public over the personal data leak,” a Coupang official said.The official added, however, that Coupang’s preemptive measures to prevent secondary damage and explanations based on clear facts were not sufficiently reflected in the commission’s decision.The company also defended Coupang Partners, its affiliate marketing program, saying it operates lawfully under a partnership model used by global companies while protecting customer data. Coupang added that it expects the facts to be clarified through legal procedures after receiving the commission’s official written decision.Coupang Fulfillment Services, the company’s logistics subsidiary, was penalized separately. The commission said CFS collected the names of 71 reporters covering the Korean National Police Agency and placed them on an employment restriction list, even though they had no record of working at Coupang logistics centers.The subsidiary was also found to have submitted data on workers’ weight, originally collected for employee health management purposes, to a court during litigation related to an industrial accident. The commission said the submission amounted to the improper handling of sensitive personal data and imposed a separate 248 million won fine on CFS.