The Personal Information Protection Commission requested that Coupang, where a large-scale personal information leak occurred, correct its personal information ‘exposure’ notice to a ‘leak’ notice and inform customers again.

The Personal Information Protection Commission (PIPC) stated that on the morning of the 3rd it convened an emergency plenary meeting and deliberated·resolved that Coupang should immediately implement measures including these points.

A review found that Coupang confirmed customer personal information had been leaked due to abnormal access by an unidentified person. However, it informed data subjects under the title of a personal information ‘exposure’ notice that a partial exposure incident had occurred, but did not notify the fact of a ‘leak’. It posted the related information on its website for only 1~2 days. It also caused confusion by omitting leaked items such as common entrance door passwords.

The Personal Information Protection Commission (PIPC) urged Coupang to revise the personal information exposure notice to a leak notice and to re-notify, fully reflecting all leaked items. It also ordered that people whose information was leaked and who are included on delivery address lists be notified of the personal information leak within an identifiable scope, and that any additional leaks be reported·notified immediately upon confirmation. This is a measure that takes into account the possibility that additionally registered delivery address information, such as the home of a parent or acquaintance, may have been leaked.

It also requested that the leak details be posted on the website home page or via a popup for more than a certain period, and that guidance to prevent further harm, such as recommending changes to common entrance door passwords and Coupang account passwords, be actively provided.

It further ordered a re-examination of the effectiveness of damage-prevention measures and stronger internal monitoring, and to expand the dedicated response team to respond immediately to complaints or media reports.

The Personal Information Protection Commission (PIPC) will require Coupang to submit the results of its measures within seven days and plans to continuously check the implementation status.

The Personal Information Protection Commission (PIPC) stated, “We are acutely aware of the seriousness of a case in which the contact information and addresses of a large number of citizens have been leaked,” and added, “We will promptly and thoroughly investigate the circumstances of the personal information leak at Coupang, its scale·items, and any violations of obligations for safety measures, and will impose strict sanctions if violations are confirmed.”