Coupang executives, including Chief Executive Officer (CEO) Harold Rogers, appeared before a National Assembly hearing to issue a public apology and commit to developing responsible compensation plans following a major data breach. They maintained, however, that the incident did not violate any U.S. laws.
The hearing, held on Wednesday by the National Assembly’s Science, Information and Communications Technology (ICT), Broadcasting, and Communications Committee, saw testimony from Rogers, Chief Information Security Officer Brett Mattis, Vice President for External Cooperation Min Byung-ki, and Coupang Eats CEO Kim Myung-kyu.
Rogers expressed deep remorse, stating that it sincerely apologizes for causing concern and anxiety to the public. They are fully aware of President Lee Jae Myung’s criticism and are working closely with various regulatory agencies to address this data breach.
He emphasized that they are treating this situation with the utmost seriousness. They’re committed to addressing the concerns raised by regulatory bodies and alleviating any worries or inconveniences the customers may have experienced.
Regarding compensation for affected individuals, Rogers revealed that they’re currently reviewing compensation plans internally. It will announce a responsible compensation package based on the ongoing investigations’ findings.
When questioned about compensation for Coupang’s partner companies, Rogers stated that they’re conducting an internal review of the matter. If it uncovers any actual damages, it will put forward a responsible compensation plan.
Acknowledging President Lee’s recent criticism, Rogers affirmed that they’ve taken the President’s words to heart. Coupang is committed to responding appropriately to all demands arising from this situation.
Rogers Clarified the Legal Aspects, No Sensitive Information, Such as Payment Data was Compromised in the Breach
The hearing faced challenges as both Rogers and Mattis do not speak Korean. Representative Choi Hyung-doo criticized the absence of Coupang Inc. Chairman Kim Bom-seok, calling it cowardly to evade responsibility by presenting foreign witnesses when explanations could be given in Korean.
Coupang, however, maintained its stance on the legal implications. Rogers emphasized that if a similar incident had occurred in the U.S., the type of information leaked would not constitute a violation of U.S. law.
He elaborated that while information was leaked, it did not include sensitive personal data such as payment details or passwords. If this had happened in the U.S., it would not be considered a legal violation.
Rogers added that the most sensitive information, including payment and login details, was not part of the leaked data. Compared to other data breaches in the past 18 months, the scope of this incident is relatively limited.
Nevertheless, Rogers acknowledged the gravity of the situation, stating that his personal data, along with that of other Coupang customers, was included in the breach. He fully understands the seriousness of this matter.
He noted that while this may not violate U.S. law, it recognizes the severity of the incident in Korea. They are committed to doing everything in our power to protect the customers’ personal information.
Addressing criticism about delayed reporting to the Securities and Exchange Commission (SEC), Rogers explained that under U.S. privacy laws, there’s no obligation to report the type of data leaked in this case. However, given the ongoing public interest, they’ve made a disclosure to the SEC today.
Former Employee Impersonates Customer to Gain Access…Passkey to be Introduced in the First Half of Next Year
The hearing also covered additional investigation results and proposed improvement measures.
Regarding the former employee suspected in the data breach, Rogers stated that it revoked all access privileges upon the employee’s departure. However, they managed to steal information, resulting in harm to Korean citizens.
Mattis elaborated that despite blocking all access when the employee left, they used stolen keys to create access tokens, allowing them to impersonate customers and access personal information.
Rogers emphasized that they immediately revoked all signing keys once the incident was discovered to prevent any further unauthorized activity.
Coupang plans to bolster security by implementing passkeys by the first half of next year. Mattis affirmed that they’re committed to providing its customers with the safest and most reliable authentication options available.
The committee decided to report the absence of Coupang Inc. Chairman Kim and former CEOs Kang Hae-seung and Park Dae-jun as unjustified.
Committee Chair Choi Min-hee declared that it will hold them accountable to the fullest extent of the law. If necessary, it’ll create new legislation to ensure accountability. A government investigation will commence immediately following this hearing.