Political pressure is mounting over a massive personal data breach at Coupang, South Korea’s largest e-commerce company, raising concerns about how the fallout may extend beyond Coupang itself to affect the broader industry.
On the morning of the 17th, the National Assembly’s Science, ICT, Broadcasting and Communications Committee held a hearing on the Coupang data breach, questioning Coupang CEO Harold Rogers, Chief Information Security Officer Brett Mathis, and Coupang Eats CEO Kim Myung-kyu about the circumstances of the leak, the company’s security practices, measures to prevent recurrence, and compensation plans.
Criticism intensified after Coupang founder and Coupang Inc. board chair Kim Beom-seok, along with former CEOs Park Dae-joon and Kang Han-seung, all failed to appear despite being summoned as witnesses.
Coupang has built a dominant position in the Korean market with its “dawn delivery” system, which delivers items ordered by late night to customers’ doorsteps by early morning the next day. Given its massive user base, the exposure of data from more than 30 million customer accounts has raised serious alarm.
Massive Leak of “Delivery Information”
In mid-November, some Coupang customers received anonymous emails.
IT programmer Park Chan-hee told that on the evening of November 16 he received an email titled “Your personal information may have been leaked.” The email contained his name, phone number, addresses for five delivery locations including his home, and details of 15 recent orders.
Park immediately notified Coupang and said he received a response the next day stating that “about 4,500 people’s personal information may have been leaked.” He recalled thinking, “This is bigger than I expected.”
The scale, however, turned out to be far larger. On November 29, Coupang announced that partial personal information—including names, email addresses, phone numbers, addresses, apartment building entry codes, and order histories—had been exposed from 33.7 million customer accounts.
While personal data breaches have occurred multiple times in Korea, this case has drawn particular concern because it involved delivery address information—names, phone numbers, addresses, and entry codes—as well as order histories that reveal customers’ preferences and daily routines. Experts warn that such data could be exploited for more sophisticated crimes extending into physical spaces.
Korean regulatory authorities are still investigating the scope and cause of the breach, and reports indicate that a former employee of Chinese nationality has been identified as a suspect. Seoul Metropolitan Police Agency’s Cyber Investigation Division conducted a week-long raid starting on the 9th at Coupang’s headquarters in Songpa-gu, Seoul.
On the 10th, Coupang CEO Park Dae-joon resigned, and Harold Rogers, Coupang Inc.’s U.S.-based Chief Administrative and Legal Officer, was appointed interim CEO.
What Comes Next?
Attention is now focused on whether Chairman Kim Beom-seok will respond to the National Assembly’s summons. Over the past decade, Kim has repeatedly declined to appear before the Assembly regarding issues such as allegations of unfair practices toward subcontractors and deaths of workers at logistics centers.
Choi Min-hee, chair of the Science, ICT, Broadcasting and Communications Committee, said she could not accept Kim’s explanation that his global schedule as CEO of a company operating in more than 170 countries prevented him from attending the hearing.
Lawmakers from the ruling Democratic Party criticized Kim in a statement on the 14th, saying: “It is deceptive to the Korean people for the de facto controller of a company that earns enormous profits in Korea, provides services to Koreans, and handles their personal data to avoid accountability.”
Although Coupang is headquartered in the United States, listed on a U.S. stock exchange, and Kim Beom-seok is a U.S. citizen—factors that could label it a “U.S.” or “global” company—most of its revenue comes from the Korean market, prompting calls for greater cooperation with Korean political and regulatory authorities.
According to last year’s business report, more than half of Coupang’s total revenue was generated in Korea, and over 90% when considering only its core retail and distribution business.
The Democratic Party is exploring measures such as criminal complaints and a parliamentary investigation to compel Kim’s appearance. On the same day, the National Assembly’s Political Affairs Committee decided to file a complaint against Kim for violating the National Assembly Testimony and Appraisal Act by failing to appear. While such actions may provide legal grounds to summon him, enforcing compliance against someone residing abroad long-term is expected to be difficult.
On the previous day, Democratic Party lawmaker Jeon Yong-gi introduced amendments to the National Assembly Testimony and Appraisal Act and the Immigration Control Act that would allow authorities to request an entry ban on foreign nationals who refuse to comply with Assembly summons without just cause.
As political pressure intensifies, attention is also turning to how much Coupang may ultimately pay in fines or compensation. Rogers said regarding compensation, “We are cooperating with regulatory investigations and are still assessing the situation,” adding, “We will announce a compensation plan along with the investigation results.”
On November 16 (local time), Coupang disclosed the breach to the U.S. Securities and Exchange Commission (SEC), stating that its operations had not suffered significant disruption but warning of risks including management distraction, potential revenue declines, corrective measures, fines, and litigation costs that could result in substantial financial losses.
That same day, the National Assembly’s Political Affairs Committee approved amendments to the Personal Information Protection Act that would allow fines of up to 10% of a company’s total revenue for major data breaches, up from the current maximum of 3%. However, the likelihood of retroactive application to the Coupang case appears low.
Since the breach surfaced, multiple class-action and individual lawsuits have been filed against Coupang, which is expected to increase legal costs. It remains to be seen how many users will actually leave the platform and how much revenue will be affected. While some customers have vowed to boycott or delete their accounts, others say they will continue using Coupang for its convenience.
Sellers and employees who depend on Coupang for their livelihoods are increasingly concerned about growing uncertainty as the situation drags on. A woman in her 40s who sells cosmetics on Coupang told that her sales dropped by 80% after the breach became public, saying, “Daily necessities may not be hit as hard, but for products like cosmetics that don’t need to be delivered quickly, the impact is severe.”
Coupang’s first integrated labor union, Kounion—the Coupang branch of the Korean Confederation of Trade Unions’ Chemical, Fiber, Food and Service Workers’ Union—issued a statement on the 15th demanding a sincere apology from the chairman, stating that “the company’s apparent evasion of responsibility is prolonging the situation, amplifying the corporate crisis and spreading anxiety among employees.”
No comments:
Post a Comment