Seoul, South Korea – E-commerce giant Coupang has been fined 15.8865 billion won by the Personal Information Protection Commission (PIPC) for multiple data breaches involving the personal information of its delivery drivers and customers.

In a decision announced on November 28th, the PIPC found that Coupang had violated the Personal Information Protection Act. The commission investigated two separate incidents: a 2021 data breach that exposed the personal information of approximately 135,000 Coupang Eats delivery drivers and a 2022 incident that leaked the order information of around 22,000 customers using the Coupang seller system.

In the first case, Coupang introduced a policy in November 2019 to protect the privacy of its delivery drivers by providing only a masked phone number to restaurants. However, it was revealed that until November 2021, the delivery drivers' real names and phone numbers were still being sent to restaurants. This information was transmitted from Coupang Eats servers to OtterKorea, a company whose order management system is used by restaurants, where it was exposed. Despite being aware of this issue in November 2020, Coupang allowed it to continue, enabling restaurant owners to view the delivery drivers' information. Additionally, OtterKorea was found to have retained the real names and phone numbers of delivery drivers, even after order completion, in its own systems.

For these violations, the PIPC imposed a fine of 2.7865 billion won and a penalty of 1.08 million won on Coupang. The commission also recommended that Coupang strengthen the security of its personal information processing systems. OtterKorea was ordered to comply with data deletion obligations.

The investigation also revealed that the login process for Coupang's seller-only system (Wing) exposed the personal information of 22,440 customers (orderers and recipients) to other sellers. Coupang failed to identify and address security vulnerabilities in its login authentication service, leading to this data breach. As a result, the PIPC imposed an additional fine of 13.1 billion won.

The PIPC emphasized the need for businesses handling large amounts of personal information through web and app services to regularly check for and address vulnerabilities in their login authentication systems.

In response, Coupang stated that the incidents were caused by the negligence of an external vendor and temporary software errors. The company claimed to have taken all necessary measures to prevent recurrence.