South Korea's Personal Information Protection Commission (PIPC) is in the final stages of investigating Coupang's data breach, with authorities indicating possible cooperation with Taiwan after some leaked user data was traced to Taiwan-based accounts.
"The Coupang data breach investigation is in its final stages," PIPC Vice Chairman Lee Jeong-ryeol said at a regular briefing at the Government Seoul Complex on Friday. "We are conducting a final review of the specific scale and circumstances of the breach, as well as whether violations of the Personal Information Protection Act apply."
Lee added that a team of expert investigators is stationed on-site, and the commission is analyzing findings shared by a joint public-private investigation team.
Regarding Coupang Inc.'s disclosure that approximately 200,000 of the 33 million compromised accounts were Taiwan-based, Lee emphasized the need for cross-verification. "That figure is from Coupang's own investigation and has not been independently confirmed by the commission," he said, adding, "We can cooperate with Taiwan if necessary."
The gap between government and company assessments of the breach's scale suggests regulators are not accepting the company's findings at face value.
Once administrative sanctions are finalized, a suspended collective dispute mediation process will resume immediately. The PIPC had previously approved mediation proceedings filed by approximately 2,600 Coupang customers but halted the process pending investigation results.
The commission plans to release findings on data breaches at other companies in sequence. Regarding the KT breach that occurred in September last year, Lee said, "The number of servers to examine has increased due to malware infection. We are confirming violations and will wrap up soon."
Investigations into breaches at eight Kyowon Group subsidiaries and Seoul's public bicycle service "Ttareungi," both cases that emerged this year, are being conducted in cooperation with police and other law enforcement agencies, according to the PIPC.
The commission has shifted its policy focus this year from post-incident sanctions to prevention. While penalties will be strengthened for repeated and serious breaches, companies that make preemptive security investments will receive incentives such as reduced fines.
To implement this approach, the PIPC has established a new director-general level position of "Prevention and Mediation Deliberation Officer" under the Investigation and Mediation Bureau and is expanding staff to conduct extensive preliminary compliance inspections this year.
The commission also plans to accelerate a second round of amendments to the Personal Information Protection Act, focused on strengthening liability for damages, with National Assembly cooperation.
"New types of personal information violations are increasing with the spread of AI and digitalization," Lee said. "We will take the lead in building a prevention-focused protection system alongside strict enforcement."