(Re)in Summary
• Coupang’s data breach exposed information of 33.7 million users, with insurance cover capped at KRW 1bn (US$682k) from Meritz Fire & Marine Insurance, according to local media reports.
• Korea’s law mandates a KRW 1bn minimum cover for large firms, leaving most of Coupang’s potential liability — estimated at up to KRW 3.37 trillion — uninsured.
• Users are also suing for 200,000 won per person, which could raise compensation costs beyond historical precedent.
• Case highlights a protection gap in Korea’s mandatory cyber insurance limits, particularly for large platforms.
Coupang’s recent data breach has cast a light on the limits of Korea’s mandatory personal information leakage cover, with the e-commerce group’s policy with Meritz Fire & Marine Insurance capped at just KRW 1bn (approx. US$682k), according to local media reports.
Upon first detecting unusual activity, Coupang notified the Personal Information Protection Commission on 20 November that 4,500 accounts had been exposed. The company expanded this figure to 33.7 million on 29 November following a more thorough internal investigation.
Customer account data that had been leaked includes names, contact details, email addresses, shipping addresses, and partial order histories. The breach began on 24 June, but remained undetected for nearly five months.
Korea’s Personal Information Protection Act requires firms above a certain size and data thresholds to buy personal information leakage compensation insurance or set aside reserves. Companies with annual revenue above about KRW 80bn and more than 1m data subjects fall into the top tier, but are still only required to purchase a KRW 1bn policy.
With annual revenue of more than KRW 40 trillion, Coupang easily fits into the highest tier. The low limit of its cyber insurance protection, however, means it will now bear the vast majority of any compensation costs to users.
Over 3,370 times the policy limit
In past privacy cases in Korea, courts have awarded about KRW 100k per claimant for breaches. If courts award damages at historical precedent levels, Coupang’s compensation liability could reach at least 3.37 trillion won — more than 3,370 times the policy limit.
A further complication that could put upward pressure on compensation amounts is that users of the platform are currently suing Coupang for KRW 200k per person.
The protection gap between plausible loss scenarios and statutory minimum limits has fuelled concern in the non-life sector that Korea’s mandatory product falls far below the risk profile of large platforms with dense data concentrations.
SK Telecom, which suffered a breach affecting 23 million users in April, also carried the statutory 1bn won minimum with Hyundai Marine & Fire Insurance at the time of the incident. In October, SK Telecom purchased a separate cyber insurance policy with a KRW 100bn limit.
The case exposes a potential contradiction: minimum-limit placements are meant to ensure that all firms have protection from cyber losses, but if limits are too low, they leave the bulk of cyber risk uninsured when incidents affect scores of users, particularly if they trigger court actions across multiple jurisdictions.
For Meritz and its insurance peers, the outcome of the Coupang loss and any related litigation is likely to shape future pricing, capacity, and limit structures for personal information leakage and broader cyber covers in Korea.