Created with Gemini

[Korea Financial Times, Park seulgi] 33.7 million pieces of personal information leaked. An unprecedented massive incident. This accident occurred due to Coupang's clear negligence in failing to renew signing keys issued to authentication personnel. Sincere reflection and countermeasures from Coupang are required.

The National Assembly Science, ICT, Broadcasting and Communications Committee (Science Committee) emergency inquiry held at 10 AM on December 2 was attended by Vice Minister Ryu Je-myung of the Ministry of Science and ICT, Vice Chairman Lee Jung-ryeol of the Personal Information Protection Commission, and Coupang CEO Park Dae-jun and Chief Information Security Officer (CISO) Brett Mathis. This inquiry was held to determine responsibility for the unauthorized leak of approximately 33.7 million customer information from Coupang.

The incident was sparked by Coupang's poor management of long-term valid authentication keys. The analysis is that the structure allowing former employees to continue accessing the system was maintained because signing keys issued to authentication personnel were not renewed, and this loophole led to the massive leak. The leaked information includes customer names, emails, phone numbers, addresses, and some order information.

According to the response progress report disclosed by Vice Minister Ryu at the inquiry, the identified attack period in the Coupang personal information leak incident was from June 24 to November 8, 2025. Vice Minister Ryu stated, "Full log analysis from July 2024 to November 2025 shows that personal information from over 30 million accounts was leaked during this period."

He continued, "The attacker accessed and leaked customer information abnormally multiple times without logging in," explaining, "In this process, encryption keys that digitally sign authentication tokens used when accessing Coupang servers were used."

"Under police investigation, trade secret..." Kim Bom-suk Chairman liability raised

CEO Park Dae-jun and CISO Mathis who attended the inquiry expressed "deep responsibility" but avoided answering sensitive questions with responses like "under police investigation," "not identified," or "don't know exact figures." Particularly, it was confirmed that many of the materials requested by lawmakers the previous day were not submitted.

CEO Park said, "I received material requests from many lawmakers yesterday, which takes physical time," but lawmakers did not accept this at face value. Lawmakers poured out complaints, saying "You came to the National Assembly so often during the audit, but when we requested materials, you became unreachable," or "We received answers that materials cannot be provided citing trade secrets even for non-trade secret material requests."

Chairman Kim Bom-suk of Coupang Inc's liability also emerged. Lawmakers' demands continued that Chairman Kim Bom-suk, the actual owner of Coupang, should personally apologize given the massive leak. Regarding this, CEO Park drew a line, saying, "This happened at the Korean corporation and is my responsibility, so I should apologize. I will take responsibility to the end and do my utmost."

Additionally, Coupang was criticized for trying to downplay the controversy by using the word 'exposure' instead of 'leak.' Rep. Cho In-cheol of the Democratic Party of Korea pointed out, "Using exposure instead of leak is a strategy to blur the issue." Rep. Hwang Jung-ah of the Democratic Party also pressed, "Doesn't it make no sense that a company that led distribution innovation with dawn delivery cannot distinguish between leak and exposure, trying to evade the situation with wordplay?"

Science Committee Chairwoman Choi Min-hee (Democratic Party) mentioned holding future hearings, calling Coupang's response insincere. Chairwoman Choi said, "CEO Park is avoiding answers with police excuses. Before this meeting ends, I will set a hearing date with agreement between the floor leaders," adding "I will adopt CEO Park as well as Chairman Kim Bom-suk, the actual owner of Coupang, as witnesses."

Is the perpetrator Chinese?...Coupang and government unable to speak

Over 30 million pieces of personal information were leaked from Coupang. / Photo courtesy of Coupang

This incident is known to be the work of a Chinese authentication personnel who left Coupang. However, the government and Coupang management are only saying "under police investigation" day after day, not answering forthrightly.

Rep. Lee Jun-seok of the Reform Party asked whether the information leaker was ethnic Korean Chinese or Chinese. CEO Park was cautious, saying "Investigation is currently underway."

Rep. Park Chung-kwon of the People Power Party also asked, "Is it correct that the leaker is a former employee with Chinese nationality?" but CEO Park answered, "It is dangerous for me to specify a suspect or speak about matters under investigation."

The government is the same. Rep. Park Jung-hoon of the People Power Party asked Minister of Science and ICT Bae Kyung-hoon, "Is the Chinese person in Korea?" Minister Bae replied, "It is difficult to specify the country."

Rep. Park Jung-hoon then pressed, "Can't it be revealed that he's Chinese? Is it because of diplomatic friction? Don't you know that the perpetrator left for China? Don't you know anything about communicating with the Chinese government?"

Minister Bae then was cautious, saying "I understand the police are investigating not only domestically."

How much will Coupang pay...Minimum KRW 1 trillion, maximum KRW 4 trillion?

Interest is growing in the fines and punishment levels Coupang must pay for this incident. Figures range from at least KRW 1 trillion to as much as KRW 4 trillion. Business suspension is also being mentioned.

According to the Personal Information Protection Act revised in 2023, fines of up to 3% of revenue can be imposed for violations. For a personal information leak accident that occurred in April, SK Telecom was fined a record KRW 134.79 billion. For Coupang, which recorded revenue of KRW 41 trillion last year, this could reach KRW 1.3 trillion.

President Lee Jae-myung instructed to prepare practical measures including application of punitive damage compensation systems regarding this case. At the 52nd Cabinet meeting, President Lee said, "Despite the massive scale of 34 million cases, it's truly surprising that the company didn't even detect the leak itself after the incident occurred. Is this the extent?"

He continued, "Related ministries should refer to overseas cases to strengthen fines and actualize punitive damage compensation systems, and come up with effective measures."

Regarding this, Rep. Lee Hoon-gi of the Democratic Party said, "The president said punitive damage compensation is necessary, and if so, 10% of revenue, meaning Coupang must pay KRW 4 trillion." Rep. Lee submitted a Personal Information Protection Act amendment increasing fines to 10%. It is reported that related discussions occurred at the Office of the President as well.

Vice Chairman Lee Jung-ryeol of the Personal Information Protection Commission said, "We have currently formed an investigation team and a task force that is stationed there. We will strictly dispose according to the law."

Business suspension is also possible. Currently, under the E-Commerce Act, business suspension can be imposed if property damage occurs from telecommunications sales, and government-related departments are reportedly comprehensively reviewing punishment measures including business suspension.

Park seulgi (seulgi@fntimes.com)


데일리 금융경제뉴스 FNTIMES - 저작권법에 의거 상업적 목적의 무단 전재, 복사, 배포 금지
Copyright ⓒ 한국금융신문 & FNTIMES.com