Seoul Investigates Coupang for ‘Self-Investigation’ Amid Data Breach Fallout
The recent data breach involving Coupang, South Korea’s largest e-commerce platform, has escalated significantly, as government bodies express dissatisfaction with the company’s efforts to address the incident. The breach, linked to a rogue former employee who allegedly absconded to China, exposed the personal data of 33.7 million customers, including critical information such as names, addresses, and contact numbers. With a population of approximately 52 million, this incident potentially affects nearly every adult in Korea, raising alarm among both government officials and consumer advocates.
This situation has drawn international scrutiny, with U.S. lawmakers also voicing concerns over perceived governmental overreach in targeting the e-commerce giant, which has its headquarters in Seattle. Amidst growing tensions, multiple task forces led by the Seoul Metropolitan Police Agency are conducting investigations, and an Interpol red notice has been issued for the primary suspect, a Chinese national believed to be involved in the breach.
Coupang, which claimed cooperation with law enforcement, reported having located the suspect and recovered a MacBook Air that contained critical evidence. However, South Korea’s data protection authority has advised the company to cease its “self-investigation” disclosures, suggesting that these statements could mislead the public into thinking they were made with governmental oversight. The agency warned that such assertions were unverified and could jeopardize ongoing investigations.
Moreover, the country’s regulatory body accused Coupang of failing to promptly provide requested evidence, heightening concerns over the company’s compliance with legal standards. Reports indicate the suspect attempted to destroy evidence by maliciously damaging the laptop and disposing of it in a river, raising questions about the effectiveness of the company’s internal security protocols.
Coupang, launched in 2010 and ranked among the top 150 global companies by revenue, is often likened to Amazon.com for its extensive marketplace and logistical capabilities. In response to the breach, Coupang’s CEO resigned, reflecting the seriousness of the incident. Lawmakers have summoned the company’s founder, Bom Kim, a U.S. citizen, to testify regarding the firm’s governance and breach management practices, but instead, interim CEO Harold Rogers faced tough questions during his appearance.
Rogers’ absence following a trip outside South Korea has raised further suspicion, with local authorities investigating whether he misled lawmakers. This scrutiny could lead to potential obstruction charges, compounding the company’s challenges as it navigates regulatory and reputational hurdles. Coupang has stated that Rogers’ travel was pre-scheduled, asserting a commitment to assist the investigation.
The company’s attempt to regain public trust through a compensation plan, offering affected individuals $34 in vouchers for specific services, has been met with criticism. Consumer rights advocates have condemned the strategy as insufficient, urging for direct cash compensation instead. The backlash highlights the divisions between corporate measures and consumer expectations, suggesting that initial recovery efforts may not adequately address widespread concerns from customers.
As investigations continue, experts speculate that the tactics involved in this breach align with the MITRE ATT&CK framework, potentially involving initial access techniques typically linked to insider threats. Such incidents can lead to not only data exfiltration but also long-term implications for organizational trust and cybersecurity governance, necessitating a comprehensive response by the affected company and vigilance from stakeholders.
