Home > National > Social Affairs

Lawmakers grill Coupang CEO over data leak suspect, founder's responsibility

Published: 02 Dec. 2025, 19:41 Updated: 02 Dec. 2025, 20:21

Park Dae-jun, CEO of Coupang, answers questions from lawmakers at the National Assembly’s Science, ICT, Broadcasting and Communications Committee meeting in western Seoul on Dec. 2. [LIM HYUN-DONG]

Lawmakers grilled Coupang's CEO on Tuesday for allowing a former employee to access company data for half a year without detection — leading to the leak of 33.7 million customers' information.

During an emergency session of the National Assembly’s Science, ICT, Broadcasting and Communications Committee on Tuesday, lawmakers revealed that the former Coupang employee responsible for the massive leak had resigned from the company in December last year. For five months starting in June, the individual accessed user data by generating fake entry tokens using a stolen password, or signature key, obtained before departure. One lawmaker even called for the arrest of Kim Bom, founder and majority shareholder of Coupang Inc., the U.S.-based parent company of the e-commerce giant.

According to Coupang CEO Park Dae-jun, the individual in question "was a developer responsible for our authentication systems and left the company in December last year. All access rights were revoked upon resignation.” Brett Matthes, Coupang’s chief information security officer, explained that the person seemingly stole a personal signature key before leaving the company and used it to impersonate a current employee.

Matthes explained that the leak went unnoticed for five months because the intrusions came from various IP addresses and sources, remaining below the company's detection threshold. The employee allegedly created multiple keys and extracted data in small amounts to avoid triggering security alerts.

Rep. Lee Jun-seok of the Reform Party wrote on Facebook after the session, “Even if a signature key was stolen, the perpetrator would need access to all user email addresses to breach each account. The fact that this was possible indicates a fundamental flaw in Coupang’s system.” He criticized Coupang for failing to encrypt user identifiers as random values, allowing sequential ID inputs — like 1, 2, 3 — to grant access to every user’s email.

“It’s as if a door meant for internal use was left open to the outside,” he added. Coupang did not respond to these claims.

Park Dae-jun, CEO of Coupang, attends the National Assembly’s Science, ICT, Broadcasting and Communications Committee meeting to be questioned by lawmakers over the company's latest data leak, in western Seoul on Dec. 2. [NEWS1]

During the meeting, lawmakers from the ruling and opposition parties raised the issue of Coupang Inc. Chairman Kim’s responsibility for the leak. Noting that 80 percent of Coupang’s revenue is generated in Korea, they insisted that the company’s de facto owner should not sidestep accountability and called for a direct apology from Kim.

Coupang CEO Park, however, insisted that he — and not company founder and majority shareholder Kim — was responsible for the e-commerce platform's failure to protect the data of 33.7 million customers.

“Why is Chairman Kim Bom hiding when the public wants an apology from him?” said Rep. Lee Hoon-ki of the Democratic Party. Reps. Park Jeong-hun and Park Choong-kwon of the People Power Party also echoed Lee, each saying, “Why is there no statement from Chairman Kim?” and “What is Chairman Kim Bom’s position and is he reachable?”

Coupang CEO Park was adamant on distancing Kim from the issue, stressing that as the head of the Korean corporation, he alone was accountable for the incident. “As the representative of the Korean entity, I take full responsibility for the situation and am doing my utmost to resolve it,” Park said.

Regarding whether Chairman Kim would apologize, Park reiterated, “The incident occurred at the Korean entity, and it is appropriate for the representative here to take responsibility.”

Kim Bom, founder of Coupang [COUPANG]

When Park said he did not know Kim's current location, explaining that the Coupang founder "oversees global business from overseas," Rep. Lee Sang-hwi of the People Power Party berated him, saying, “How can it be that the company doesn’t even know where its owner is, despite the severity of the situation?”

Lawmakers also criticized Coupang for describing the data as "exposed" rather than "leaked" during its explanation to the Assembly. Rep. Han Min-soo of the Democratic Party raised his voice, saying, “You have not clearly stated the scale or nature of the damage. Are you trying to downplay responsibility with ambiguous language?”

Coupang’s apology also drew fire after it was revealed that the company took down the statement from its website just three days after posting it.

“There was no intention to withdraw the apology," said CEO Park. "It was a problem that occurred while reorganizing how we provide notices.”

Many lawmakers expressed outrage that 33.7 million items of personal information were left exposed for five months. Coupang said it is conducting internal investigations and cooperating with external authorities to examine its security systems.

Park Dae-jun, CEO of Coupang, bows his ahead in apology to lawmakers at the National Assembly’s Science, ICT, Broadcasting and Communications Committee meeting in western Seoul on Dec. 2. [LIM HYUN-DONG]

When asked by Rep. Park Jeong-hun if secondary damage was possible, the Coupang CEO replied that no secondary damage had been reported, as far as he knew.

Lawmakers urged the government to impose a penalty on Coupang. The Personal Information Protection Commission said it will closely review whether to impose a fine of more than 1 trillion won ($681 million) on the company, depending on the severity of the damage determined by the commission and the company's revenue volume.

Korean law imposes a 3 percent cap on a company's total annual revenue for penalties levied for failure to protect personal information. Coupang reported 41 trillion won in revenue last year, bringing the calculated cap on possible fines to 1.23 trillion won.

Bae Kyung-hoon, Minister of Science and ICT, also promised during the meeting to review the implementation of punitive measures to ensure that an incident that "leads to immediate and financial damages to the people does not repeat itself."

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KANG KI-HEON, KIM KYUNG-MI [[email protected]]