![Brett Mathis, Coupang CISO, answers questions at the National Assembly in Seoul on Dec. 2. [Photo=Yonhap]](https://image.ajunews.com/content/image/2025/12/02/20251202114209676422.jpg)
SEOUL, December 02 (AJP) - Coupang’s management came under heavy fire from lawmakers and direct censure from the Korean president on Tuesday, after the country’s largest-ever data breach — affecting virtually all of its 33.7 million customers — went undetected for nearly five months.
Shares in Coupang, listed on the Nasdaq, slid more than 5 percent on the first trading day after the disclosure, paring part of the 28 percent gain built earlier this year. JPMorgan warned that fines, voluntary compensation programs and litigation could weigh on near-term sentiment, although customer churn may prove limited given Coupang’s dominant market position.
The company has confirmed that unauthorized access began on June 24 via overseas servers. While initial reports suggested that only 4,500 accounts were compromised, the tally soared to 33.7 million after an internal review.
At a parliamentary inquiry, CISO Brett Mathis said the intruder had used a stolen private signing key to forge authentication tokens and impersonate legitimate users. He stressed that access was restricted to specific APIs and that there was no evidence of password changes, payment-system infiltration or deeper server compromise.
Investigators believe the suspect to be a former employee of Chinese nationality — a detail that has intensified scrutiny of Coupang’s internal privilege controls, monitoring systems and employee off-boarding procedures.
President Lee Jae Myung condemned the breach at a cabinet meeting, urging authorities to use “all possible tools” to prevent secondary damage and to establish accountability quickly.
“It is shocking that such a massive leak remained undetected for five months,” he said, calling for stronger punitive-damage rules and a broad “paradigm shift” in digital-security standards across both public and private sectors.
Public anger has mounted sharply. Online class-action communities have surged, with one forum attracting more than 70,000 members within a day of the disclosure. The scale of the breach — equivalent to roughly 65 percent of the Korean population — has sharpened the backlash.
The incident has also reignited long-standing criticism of Coupang’s governance structure. Founder and chairman Bom Kim, who retains more than 70 percent of voting power through dual-class shares, has remained silent amid the controversy. Kim has long cited overseas residence to avoid parliamentary summons, fueling criticism that the company reaps near-total domestic revenues while sheltering behind U.S. legal structures — even as it faces recurring disputes over warehouse-worker deaths, platform-fee practices and regulatory probes.
Recent revelations that Kim converted dual-class shares and cashed out about ₩5 trillion last year have intensified debate over responsibility versus reward.
In Korea, Coupang could face fines of up to 3 percent of revenue — potentially around $1 billion — under the revised Personal Information Protection Act if government investigations conclude that lax oversight enabled the breach.
In the United States, the company may also face scrutiny over whether it failed to comply with the SEC’s new rule requiring disclosure of “material cybersecurity incidents” within four business days. As of Monday, no such filing had been made, raising the prospect of further regulatory exposure.
* This article, published by Aju Business Daily, was translated by AI and edited by AJP.Copyright ⓒ Aju Press All rights reserved.
