The Personal Information Protection Commission (PIPC) said on Wednesday that e-commerce giant Coupang did not properly notify its customers of its recent major data breach and demanded a corrected notification, specifying personal information “leak,” not an “exposure” of such data.The data protection regulator made the decision during an emergency meeting after Coupang announced last week that the personal information of 33.7 million customers — including names, addresses and phone numbers — had been compromised.While Coupang notified affected users of the breach, the company merely described it as personal information being “exposed” when it had actually been “leaked,” according to the PIPC.The regulator said that Coupang also partially omitted stating which kinds of data had been affected and announced the breach on its website for only one to two days.It ordered the company to notify affected customers again of the leak; advise them of data protection measures, such as changing their passwords; reinspect steps to prevent harm to customers; then submit the results of the measures to the PIPC within one week."[We] will swiftly and thoroughly investigate the circumstances [and] scope [...] of Coupang's personal information leak, as well as violations of safety duties, and impose strict punishments if violations are found,” the regulator said in a release.Meanwhile, the PIPC said on Sunday that it strengthened its monitoring of illegal distribution of personal information on t
Personal Information Protection Commission(PIPC), Republic of Korea cybersecurity rating report: https://www.rankiteo.com/company/personal-information-protection-commission-pipc-republic-of-korea
"id": "PER1764741999",
"linkid": "personal-information-protection-commission-pipc-republic-of-korea",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'incident': {'affected_entities': [{'customers_affected': '33.7 million',
'industry': 'Retail',
'location': 'South Korea',
'name': 'Coupang',
'size': None,
'type': 'E-commerce'}],
'customer_advisories': 'Affected customers advised to change '
'passwords and take protective measures.',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': '33.7 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally '
'Identifiable '
'Information)',
'type_of_data_compromised': ['Names',
'Addresses',
'Phone numbers']},
'description': 'Coupang, an e-commerce giant, experienced a '
'major data breach where the personal information '
'of 33.7 million customers was compromised. The '
'Personal Information Protection Commission '
'(PIPC) criticized Coupang for improperly '
"notifying customers, using the term 'exposed' "
"instead of 'leaked' and omitting details about "
'the types of data affected. The regulator '
'ordered Coupang to re-notify customers, advise '
'on protective measures, and submit a report on '
'preventive actions within one week.',
'impact': {'brand_reputation_impact': 'Potential negative impact '
'due to improper handling '
'of breach notification',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Personal information of 33.7 '
'million customers',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': 'Possible fines and penalties '
'from PIPC',
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of accurate and transparent '
'breach notifications, including specific '
'details about the type of data compromised '
'and the nature of the incident (leak vs. '
'exposure).',
'post_incident_analysis': {'corrective_actions': 'Reinspection '
'of preventive '
'measures and '
'submission of '
'results to '
'PIPC within '
'one week.',
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': ['Ensure timely and accurate communication '
'with affected customers.',
'Provide clear guidance on protective '
'measures (e.g., password changes).',
'Conduct thorough inspections to prevent '
'further harm to customers.',
'Comply with regulatory requirements for '
'breach notifications.'],
'references': [{'date_accessed': None,
'source': 'Personal Information Protection '
'Commission (PIPC)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': 'Potential strict '
'punishments if '
'violations are found',
'regulations_violated': 'Personal '
'Information '
'Protection '
'Act (South '
'Korea)',
'regulatory_notifications': 'PIPC '
'ordered '
'corrected '
'notification'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Initial notification on '
'website for 1-2 days; '
'ordered to re-notify '
'with corrected details',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Re-notification of '
'affected customers, advice '
'on password changes, and '
'reinspection of preventive '
'measures',
'third_party_assistance': None},
'stakeholder_advisories': 'PIPC to investigate circumstances, '
'scope, and violations of safety '
'duties.',
'title': 'Coupang Data Breach - Personal Information Leak',
'type': 'Data Breach'}}