Seoul Accuses Coupang of Undermining Investigations into Data Breach
South Korean e-commerce leader Coupang continues to grapple with the consequences of a significant data breach affecting the personal data of 33.7 million customers. The breach has been tied to a former employee who illegally accessed sensitive information before fleeing to China, prompting widespread criticism and regulatory scrutiny.
Following the breach, which exposed names, addresses, emails, and phone numbers of nearly every adult in the nation, Coupang’s attempts to manage its public image have drawn ire from both government regulators and consumer advocates. The incident has even attracted attention from U.S. lawmakers, who are concerned about what they perceive as Korea’s unfair targeting of the company, headquartered in Seattle.
Investigations led by the Seoul Metropolitan Police Agency are now underway, while South Korean authorities have reportedly issued an Interpol red notice seeking the extradition of the principal suspect. Coupang has pledged full cooperation but has been criticized for presenting its own “self-investigation” findings, which regulators argue misrepresent the involvement of government authorities.
Authorities have voiced their frustration, with the data protection watchdog instructing Coupang to halt the publication of its findings as they are not government-validated and could disrupt ongoing investigations. Specific allegations include claims that evidence has not been produced promptly and that the company may have impeded the investigation through its actions. The severity of the claims has led to potential obstruction charges against Coupang.
Founded in South Korea in 2010 and now operating publicly in the U.S., Coupang is often referred to as the “Amazon of South Korea.” The company reported having 24.7 million active customers as of last September, marking a 10% increase year-on-year. However, the breach has led to significant leadership changes, including the resignation of CEO Park Dae-jun last month.
In mid-December, South Korean lawmakers called for Coupang’s founder and chairman, Bom Kim, to testify regarding the company’s oversight and response to the breach. His absence during these critical sessions raised further questions, prompting interim CEO Harold Rogers to face intense questioning regarding the company’s actions. Compounding the situation, Rogers reportedly failed to comply with a police summons, citing a pre-scheduled business trip, which has raised suspicions among investigators that he may have sought to avoid scrutiny.
The criticisms of Coupang’s handling of the breach extend to its response strategy, which has included efforts to reclaim customer trust by offering $34 in compensation in the form of vouchers for specific services. Critics have denounced this measure as inadequate, calling for direct cash compensation instead, with consumer rights groups accusing the company of relying on misleading tactics to mitigate fallout from the incident.
This breach, which has put Coupang in the spotlight, demonstrates a complex intersection of cybersecurity risks and regulatory oversight. It serves as a poignant reminder of the vulnerabilities in the e-commerce sector, highlighting potential adversary tactics as outlined in the MITRE ATT&CK framework, including initial access via insider threats, data exfiltration, and evasion methods to destroy evidence. With ongoing investigations and evolving challenges, the situation remains fluid and presents a stark warning to businesses about the critical importance of robust cybersecurity measures and transparent crisis management.
