jasdooit

The data leak at Coupang, which revealed personal details of 33.7 million people, is increasingly being recognized as a human-caused incident. As per documents provided by Coupang to the office of Democratic Party of Korea Representative Choi Min-hee on the 1st, a Chinese suspect, while working at Coupang, was in charge of issuing tokens (passwords) to employees needing access to the internal network. In a typical company, these access rights would be removed upon resignation, but this individual is alleged to have continued accessing Coupang’s internal network for five months after leaving the company, stealing personal data from approximately 230,000 users daily. Professor Hwang Suk-jin from the Graduate School of Information Security at Dongguk University remarked, “This is similar to a deserter freely entering and exiting a military base by receiving daily passwords,” and added, “It’s hard to believe this occurred in a corporate environment.”

Studies indicate that the incident is a predictable result of Coupang’s leadership approach, in which technical teams focused on business growth (engineers) and crisis handling (lawyers, government affairs) have expanded significantly, while oversight management to monitor and control internal operations has disappeared. Specifically, public anger has increased towards Kim Bom-suk, the 47-year-old founder who owns 74.3% of voting rights in Coupang Inc., the U.S.-based parent company that wholly owns Coupang Korea, for staying quiet despite the most severe data breach in the company’s history.

The consequences keep growing. On the 1st, 14 Coupang users—the first since the incident—filed a lawsuit at Seoul Central District Court, each requesting 200,000 South Korean won in damages. Participation in an online forum gathering plaintiffs is increasing rapidly. Chief of Staff to the President Kang Hoon-sik stated, “The fact that punitive damage mechanisms are not functioning properly has shortcomings in preventing major data breaches,” and directed officials to “review enhancements to ensure the system works effectively when corporate responsibility is evident.”

◇Taking Control, Transferring Accountability to Paid CEOs… The Security Disaster Conceals ‘Kim Bom-suk-Style Management’

Information security professionals have labeled the event as a “failure to maintain even the most fundamental management procedures.” Corporate security systems generally follow a three-tier model: tokens, authentication keys, and signature keys. Tokens function similarly to daily military passwords; authentication keys confirm the current day’s password; and signature keys validate the password’s legitimacy, much like a military seal. The Chinese developer implicated in this case was reportedly in charge of issuing tokens to employees requiring access to the internal network while working at Coupang. Unlike typical companies that revoke access upon an employee’s departure, Coupang did not do so. According to Coupang’s suspicions, this developer, after resigning and returning to China, accessed the internal network for 147 days, stealing user data.

Coupang had no knowledge that a former employee still had access or that hundreds of thousands of personal records were being leaked on a daily basis. The internal network stayed open for the Chinese developer until he sent threatening emails to users, revealing the security breach. Professor Kwon Hun-young from Korea University’s Graduate School of Information Security said, “Granting a former employee continued access to keys represents a total failure of a company’s responsibility to enforce safety protocols under the Personal Information Protection Act.” The incident highlighted Coupang’s alarmingly weak internal controls for a technology company.

◇Total Neglect of Information Security Responsibilities

The incident has also brought attention to Coupang’s dual internal control system. Although the company bans warehouse employees from carrying mobile phones “for security reasons”—a policy that has faced criticism for hindering emergency responses during previous fatal incidents—the management of foreign developers with access to critical data was notably careless. Frontline workers were viewed as possible offenders, while foreign technical staff, who had the ability to cause major data breaches, were given almost unrestricted access. An industry insider stated, “This shows how Coupang’s growth-at-all-costs mentality has elevated tech development teams to a sacred status while making risk management ineffective.”

Coupang faced backlash for its handling of the data breach. At first, it used the word “exposure” rather than “leak” when referring to the incident involving personal data. Legal professionals believe this was a strategy to minimize potential liabilities from class-action lawsuits (including penalties) against Coupang Inc., the company listed in the U.S. Although Coupang announced the data leak affecting 33.7 million users on the 29th of last month, many users only received notifications the next day. An apology was published in the app on the 30th. A representative from the distribution sector stated, “It is reported that Coupang’s decision-making process requires approval from the U.S. even for the wording in official statements,” and added, “Delayed responses and messages that do not align with Korean consumer sentiments are characteristic of the company.”

◇Coupang-Style Administration: Dividing Accountability, Ensuring Oversight

The lack of Kim Bom-suk, the chairman of Coupang Inc., during the most severe data breach in history has intensified public frustration. Kim, who owns 100% of Coupang Korea and 74.3% of voting rights in Coupang Inc., stepped down as a registered director of the Korean branch in 2021, thereby removing himself from legal responsibility. This is different from individuals such as Lee Hae-jin, the founder of Naver (in a case involving a worker’s death), or Chey Tae-won, the chairman of SK Group (in a telecommunications outage), who offered public apologies during emergencies.

A representative from the distribution sector stated, “Although 90% of Coupang’s income is generated in Korea, key choices are determined by Kim and the U.S. board, with Korean managers being held accountable—a setup that has led to Coupang being an unusual company.” Analysts claim that Coupang’s expansion strategy, which lacks a sense of social responsibility, is facing its most significant challenge.