Companies' minimum insurance obligation prompts concern following Coupang, SKT data leaks

2025. 12. 8. 10:29
음성재생 설정 이동 통신망에서 음성 재생 시 데이터 요금이 발생할 수 있습니다. 글자 수 10,000자 초과 시 일부만 음성으로 제공합니다.
글자크기 설정 파란원을 좌우로 움직이시면 글자크기가 변경 됩니다.

이 글자크기로 변경됩니다.

(예시) 가장 빠른 뉴스가 있고 다양한 정보, 쌍방향 소통이 숨쉬는 다음뉴스를 만나보세요. 다음뉴스는 국내외 주요이슈와 실시간 속보, 문화생활 및 다양한 분야의 뉴스를 입체적으로 전달하고 있습니다.

Despite the risk — and very real outcome — of a data leak affecting millions of customers, Coupang and SK Telecom carry liability insurance policies for personal information that cover a mere 1 billion won ($680,000), the minimum mandated by law.
A Coupang delivery truck is parked at the company's logistics center in Seoul on Dec. 7. [NEWS1]

Despite the risk — and actuality — of a data leak affecting millions of customers, Coupang and SK Telecom (SKT) carry liability insurance policies for personal information that cover a mere 1 billion won ($680,000), the minimum mandated by law.

According to the insurance industry, Coupang is currently insured by Meritz Fire & Marine Insurance, with a coverage limit of 1 billion won. This means that even if Coupang is found liable for damages in connection with the breach, insurance payouts would be capped at that amount. The company has not yet filed an insurance claim related to the incident, according to industry sources.

“The 1 billion won ceiling is essentially ineffective in a breach affecting tens of millions of people,” one industry source said.

Roughly 33.7 million Coupang accounts were compromised in the breach, raising concerns that any related class action lawsuits could become the largest of their kind in Korean legal history.

SKT, which saw the personal data of 23 million users compromised, was also insured for only 1 billion won under a policy with Hyundai Marine & Fire Insurance.

While Korea’s Personal Information Protection Act requires companies above a certain size to carry liability insurance, there has long been criticism that the minimum requirement is too low to meaningfully compensate affected users. For example, even firms with more than 80 billion won in annual revenue or over 1 million data subjects are only required to carry a 1 billion won policy.

A pedestrian walks by an SK Telecom shop in Seoul on Nov. 4. [NEWS1]

“The current payout cap is utterly inadequate given the scale of potential victims, which can range from hundreds of thousands to tens of millions,” said one industry insider. There are also concerns that companies may delay or evade compensation due to insufficient insurance coverage.

The insurance sector and related associations plan to formally propose to the Personal Information Protection Commission that the minimum coverage requirement for large corporations be raised to 100 billion won.

Regulatory enforcement of the insurance mandate is also facing scrutiny. While the Personal Information Protection Act imposes fines of up to 30 million won for failing to enroll in the required insurance following a correction order, the commission has yet to issue a single penalty — citing difficulty in identifying violators.

As of the end of June, there were roughly 7,000 active policies across 15 insurers offering data breach liability insurance. According to the commission, the number of businesses subject to the mandate is estimated to be between 83,000 and 380,000, suggesting a compliance rate of only 2 to 8 percent as of the end of May.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom. BY JEONG JAE-HONG [yoon.soyeon@joongang.co.kr]

Copyright © 코리아중앙데일리. 무단전재 및 재배포 금지.