Seller System Authentication Issue
Neglect of Inspection and Improvement Measures
Coupang was fined 1.6 billion KRW for leaking the information of over 20,000 customers and 130,000 delivery workers.
The Personal Information Protection Commission announced on the 28th that it decided to impose a total fine and penalty of 1,588,650,000 KRW on Coupang for violating the Personal Information Protection Act.
Following a report of the leak, the Commission investigated the 2023 incident involving the leakage of customer order information through Coupang’s seller system and the 2021 incident involving the leakage of Coupang Eats delivery workers’ personal information.
The investigation revealed that due to an authentication issue during the login process of Wing, the seller-exclusive system operated by Coupang, personal information of 22,440 orderers, which should have been visible only to the respective sellers, was leaked to different sellers. The leaked information included orderer names, order details, product price information, and delivery addresses.
Coupang used an open-source program for the Wing login authentication service and activated an option feature that automatically reconnects when the network connection fails starting from May 2021. Although there was a warning in July 2022 not to use this option due to technical issues, Coupang maintained this feature active until December 2023. They failed to regularly check, inspect, and improve vulnerabilities related to the safety issues of the open-source program.
Accordingly, the Personal Information Protection Commission imposed a fine of 1.31 billion KRW on Coupang and decided to publicly announce this fact on the Commission’s website.
Additionally, Coupang changed its policy in November 2019 to send only anonymized phone numbers to restaurants to protect Coupang Eats delivery workers’ personal information, but in reality, delivery workers’ personal information was sent to restaurants until November 2021. As a result, the real names and mobile phone numbers of Coupang Eats delivery workers were exposed in the order information integrated management system of Otter Korea, which is used by restaurants.
Coupang became aware in November 2020 that Otter Korea was receiving food order and delivery information from the Coupang Eats server via an application programming interface (API). However, Coupang repeatedly allowed and blocked Otter Korea’s server access and eventually allowed full access from June 2021, leading to the leakage incident.
Coupang recognized the personal information leak on November 23, 2021, but delayed notifying the leak beyond 24 hours without a valid reason. Otter Korea did not destroy the personal information of 135,000 delivery workers received from Coupang Eats after delivery completion and continued to retain it.
The Personal Information Protection Commission held Coupang responsible for violating safety measures obligations, resulting in the leakage of delivery workers’ personal information and delayed notification of the leak, imposing a fine of 278,650,000 KRW and a penalty of 10,800,000 KRW. The Commission also recommended that Coupang prepare improvement plans to ensure safe integration of personal information processing systems.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
