Home > Business > Industry

Companies' minimum insurance obligation prompts concern following Coupang, SKT data leaks

Published: 08 Dec. 2025, 10:27 Updated: 08 Dec. 2025, 15:23

A Coupang delivery truck is parked at the company's logistics center in Seoul on Dec. 7. [NEWS1]

Despite the risk — and actuality — of a data leak affecting millions of customers, Coupang and SK Telecom (SKT) carry liability insurance policies for personal information that cover a mere 1 billion won ($680,000), the minimum mandated by law.

According to the insurance industry, Coupang is currently insured by Meritz Fire & Marine Insurance, with a coverage limit of 1 billion won. This means that even if Coupang is found liable for damages in connection with the breach, insurance payouts would be capped at that amount. The company has not yet filed an insurance claim related to the incident, according to industry sources.

“The 1 billion won ceiling is essentially ineffective in a breach affecting tens of millions of people,” one industry source said.

Roughly 33.7 million Coupang accounts were compromised in the breach, raising concerns that any related class action lawsuits could become the largest of their kind in Korean legal history.

SKT, which saw the personal data of 23 million users compromised, was also insured for only 1 billion won under a policy with Hyundai Marine & Fire Insurance.

While Korea’s Personal Information Protection Act requires companies above a certain size to carry liability insurance, there has long been criticism that the minimum requirement is too low to meaningfully compensate affected users. For example, even firms with more than 80 billion won in annual revenue or over 1 million data subjects are only required to carry a 1 billion won policy.

A pedestrian walks by an SK Telecom shop in Seoul on Nov. 4. [NEWS1]

“The current payout cap is utterly inadequate given the scale of potential victims, which can range from hundreds of thousands to tens of millions,” said one industry insider. There are also concerns that companies may delay or evade compensation due to insufficient insurance coverage.

The insurance sector and related associations plan to formally propose to the Personal Information Protection Commission that the minimum coverage requirement for large corporations be raised to 100 billion won.

Regulatory enforcement of the insurance mandate is also facing scrutiny. While the Personal Information Protection Act imposes fines of up to 30 million won for failing to enroll in the required insurance following a correction order, the commission has yet to issue a single penalty — citing difficulty in identifying violators.

As of the end of June, there were roughly 7,000 active policies across 15 insurers offering data breach liability insurance. According to the commission, the number of businesses subject to the mandate is estimated to be between 83,000 and 380,000, suggesting a compliance rate of only 2 to 8 percent as of the end of May.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY JEONG JAE-HONG [[email protected]]