Government rebuts Coupang, says data breach far broader than claimed

Authorities say data of 33 million users was exposed, contradicting Coupang’s claim of 3,000 affected accounts

Coupang's interim CEO Harold Rogers is sworn in before the parliamentary hearing at the National Assembly in Seoul on Tuesday. (Lee Sang-sub/The Korea Herald)

The Korean government on Tuesday asserted in a parliamentary hearing that the personal information leakage from Coupang’s data breach affected more than 33 million accounts, rebutting Coupang’s claim that user data was exposed in only about 3,000 cases.

“The Personal Information Protection Commission, the National Police Agency and a public-private joint investigative team confirmed that over 33 million names and emails were leaked,” said Korea’s Deputy Prime Minister and Minister of Science and ICT Bae Kyung-hoon during the National Assembly’s Coupang hearing in Seoul.

“We determined that data including delivery addresses and delivered items were also leaked.”

Bae expressed “serious concern” over the fact that Coupang announced the results of a self-investigation without consulting the government, adding that the decision to proceed in that way must have been based on "extremely malicious intent."

The minister underscored that Coupang’s claim that the perpetrator -- an ex-employee -- retained the personal information of only about 3,000 users is based on what Coupang found from the devices it retrieved, pointing out that the suspect could have uploaded the information of over 33 million users to cloud servers.

The lawmakers condemned Coupang’s announcement of its own investigation results, criticizing the absence of Coupang founder and chair Bom Kim, his brother and Vice President Yoo Kim, and former Coupang Korea CEO Kang Han-seung.

According to the lawmakers, who claimed to have obtained an email the perpetrator sent to Coupang threatening to expose its cyber vulnerabilities, the company's self-probe findings were likely inaccurate. They also pledged to push for a parliamentary investigation into the Coupang data breach, underlining the severity of the incident and the company’s response.

When asked whether the company would offer a better compensation package for the data breach, Coupang interim CEO Harold Rogers said the 1.685 trillion won ($1.2 billion) compensation is unprecedented.

Just hours before Coupang representatives headed to the parliamentary hearing, New York-listed Coupang Inc., which wholly owns Coupang Korea, submitted an additional report to the United States Securities and Exchange Commission, updating the US authorities on its proposed plan to offer a 50,000 won voucher to every user affected by the data breach.

“The perpetrator accessed 33 million accounts, but only retained user data from approximately 3,000 accounts,” said Coupang, noting that it had hired three cybersecurity firms -- Mandiant, Palo Alto Networks and Ernst & Young -- to conduct a forensic investigation.

According to Coupang, the perpetrator subsequently deleted the user data, which included 2,609 building entrance codes but no payment data, login data or individual customs numbers, and did not transfer any of the data to third parties.

Coupang reiterated that the ongoing probe into the personal information leakage was not a “self-investigation,” adding that the investigation was coordinated under the Korean government’s express direction on a daily basis over a period of several weeks.

The online platform company also offered a detailed timeline of how it has worked with the local authorities to recover the leaked information from Dec. 1 to 26, noting that it had met with the perpetrator, retrieved relevant devices such as a laptop and handed them over to the government.

However, the Seoul Metropolitan Police Agency announced that Coupang did not reveal the process of its own forensic investigation when delivering the laptop to the authorities.

Park Jeong-bo, the commissioner of the SMPA, said police were reviewing the submitted evidence, stressing that if there was any tampering with the laptop, police would hold Coupang accountable for such illegality.

The National Assembly will continue its two-day Coupang hearing through Wednesday.