South Korea's Personal Information Protection Commission announced its penalty decision on Thursday: it imposed 624.68 billion won (equivalent to US$410.1 million) and other additional financial penalties on the Korean-owned U.S.-listed e-commerce company for last year's user information leakage case. This leak affected 37.6 million users, accounting for more than 70% of South Korea's total population.
E-commerce company Kupeng promised to further strengthen the data security protection system and make every effort to restore consumer trust.
This fine sets a new record for the highest penalty imposed on a single company in South Korea, far exceeding the amount of penalties imposed in previous data breach cases involving South Korea's SK Telecom, KT and other companies.
The penalty comes after regulators launched a months-long investigation into the company, known as the “Korean Amazon.” Coolpeng is headquartered in Seattle, USA, and the company is registered in Delaware, but most of its revenue comes from the Korean domestic market.
When announcing the penalty decision online, Song Kyung-hee, chairman of the Korean Personal Information Protection Commission, said: "This information leakage did not stem from a difficult hacker attack. The root cause is that there are serious loopholes in Coolpeng's basic security management system and the company's own management failure."
South Korean regulatory authorities and members of Congress revealed that the data leakage went unnoticed for several months until Coolpeng’s self-examination discovered it in November last year.
The investigation found that a former Chinese software development engineer at Kupeng secretly retained the system authentication key after leaving the company, and used the key to illegally access user information for about a year.
The user information illegally retrieved by the persons involved included private data such as names, mobile phone numbers, and even residential building access passwords.
Kupeng said that the persons involved did not steal credit card numbers, resident ID numbers and other more sensitive information.
Kupeng stated on Thursday that the company will comprehensively upgrade its data security protection system to restore user trust, and also revealed that it will appeal the penalty decision of the Personal Information Protection Commission.
Kupeng’s official statement: “Regarding last year’s information leakage incident, we have proactively taken a number of measures to avoid secondary damage and submitted complete factual supporting materials. However, these measures were not fully considered in the committee’s penalty ruling. We deeply regret this. We look forward to clarifying all the facts through judicial procedures.”