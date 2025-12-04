Coupang could be liable for trillions of won in customer damages if punitive laws invoked
Published: 04 Dec. 2025, 16:27
Will Coupang become the first company to face punitive damages under Korea’s personal data protection laws?
During an emergency parliamentary hearing on Tuesday regarding Coupang’s recent data breach, lawmakers raised the possibility that the e-commerce giant could face punitive damages claims amounting to trillions of won.
“Coupang’s annual revenue is 41 trillion won [$27.83 billion], and under current law, it could face fines of up to 3 percent of that amount, or 1.2 trillion won. On top of that, are there provisions allowing for up to five times that amount in punitive damages?” Rep. Kim Seung-won of the Democratic Party (DP) asked, in a question toward Personal Information Protection Commission Chairperson Song Kyung-hee during the hearing of the National Assembly’s National Policy Committee.
“Yes, such provisions do exist,” Song replied.
Kim stressed the need for action, citing repeated data leaks and comments made earlier the same day by President Lee Jae Myung. The president had instructed relevant ministries to “reinforce fines and implement practical and effective measures, including making the punitive damages system a reality.”
Song’s remarks referred to Article 39 of the Personal Information Protection Act, which allows for punitive damages up to five times the amount of actual harm if personal data is leaked due to willful misconduct or gross negligence by the data handler.
The punitive damages clause was introduced in 2015 after a major data leak involving three credit card companies — KB Kookmin, NH NongHyup and Lotte Card — but it has never actually been applied in the decade since passage. Legal experts say this is largely due to a clause exempting companies from liability if they can prove the absence of willful intent or gross negligence.
During the hearing, Song added that the commission would explore ways to strengthen the effectiveness of both fines and the punitive damages system.
Legal experts say that if the punitive damages clause is enforced, the financial burden on Coupang could be enormous. Assuming emotional damages of 100,000 won per person and applying that to the estimated 33.7 million affected users, total damages could reach 3.37 trillion won — and up to 16.85 trillion won if punitive damages are awarded at five times that amount.
Hwang Suk-jin, a professor at Dongguk University’s Graduate School of International Information Security, noted that fines and punitive damages are separate.
“It’s difficult to objectively prove damages from a data breach, which is why regulatory fines are typically imposed instead,” he said.
“Punitive damages are challenging to apply because proving actual harm is difficult,” Choi Kyoung-jin, a law professor at Gachon University, added. “However, secondary costs, like time spent changing apartment building entry codes, could factor into damage calculations.”
Coupang CEO Park Dae-jun responded to questions about compensating affected customers by saying the company would “actively review the matter.”
When Rep. Han Chang-min of the Social Democratic Party asked if the company would take responsibility voluntarily rather than waiting for lawsuits, Park replied, “We’ll reflect on the issue and seek a reasonable solution.”
In response to another question from Rep. Kang Myoung-gu of the People Power Party about whether all victims would be compensated, Park said, “We will actively consider it for those affected,” but added that the extent of the damage is still under investigation.
Lawmakers are also considering filing a complaint against Kim Bom, founder and majority shareholder of Coupang Inc., effectively making him the company’s ultimate owner. Rep. Shin Chang-sik of the Rebuilding Korea Party proposed filing a complaint against Kim, and committee Chairperson Yoon Han-hong instructed party whips to discuss the matter and reach a consensus.
There were also calls to revoke Coupang’s ISMS-P certification — a national designation for companies that meet data protection and cybersecurity standards. ISMS-P stands for “Personal information & Information Security Management System.”
Companies with ISMS-P certification are eligible for up to a 50 percent reduction in fines. Rep. Han argued that the certification should be revoked due to Coupang’s failure to meet core standards, to which Korea Internet and Security Agency President Lee Sang-joong replied that the matter would be discussed with the Personal Information Protection Commission.
Questions were also raised about whether Coupang failed to report the breach to financial authorities. Rep. Kim Hyun-jung of the DP criticized the company for notifying only the data protection commission while claiming no financial information had been compromised.
She noted that users are automatically enrolled in Coupang Pay using their Coupang account credentials, potentially allowing access through the leaked IDs.
“There are already reports of unauthorized charges of up to 3 million won on Coupang-registered cards and international calls informing users of transactions,” she said, citing growing concern over secondary damages.
“There is no evidence so far of payment data being compromised,” CEO Park reiterated, but Chairperson Song noted that the matter is still under investigation and cannot yet be confirmed.
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
