InterviewKorean firms' excessive collection of data led to Coupang data breach

Javed Khattak, co-founder and chief financial officer of cheqd / Courtesy of cheqd

The massive personal data breach at Coupang shows that collecting everything “just in case” is the default, because users have no practical way to say no, according to an IT expert Thursday.

This reflects a deeper architectural flaw in digital identity systems where data oversharing is an unavoidable outcome of how identity verification is designed, said Javed Khattak, co-founder and chief financial officer of cheqd, a payment infrastructure firm.

“We don’t know the exact dataset involved, but in e-commerce it’s common to store sensitive information like full birth dates when all the company needs is an age check,” he said in an interview with The Korea Times.

The pattern exists across industries. Sometimes it’s driven by regulation, but far more often it’s driven by marketing, profiling and recommendation engines, in his view.

“The underlying issue is that most companies treat personal data as fuel for their business, resulting in an aim to collect as much as possible rather than to minimize. The cheapest option is simply to store everything indefinitely, even when it creates unnecessary risk.”

Users also lack any mechanism to limit which pieces of their identity are revealed because current credentials force all-or-nothing disclosure, he added. “The solution is not rebuilding entire systems, but reducing the amount of sensitive identity data organizations must store in the first place.”

A Coupang logistics center in Seoul, Wednesday / Yonhap

Before looking at identity architecture, there are operational lessons that cannot be ignored, the CFO said. “If reports are accurate that a former employee still had access to authentication keys, that reflects gaps in off-boarding, key rotation and privilege management. Large organizations must treat these controls as foundational because a single unrevoked credential can expose millions of users.”

The deeper lesson, in his view, is that even perfect cybersecurity cannot compensate for collecting more sensitive data than necessary.

“For governments, the implications are even broader. Centralized digital ID programs that replicate this model risk creating national-scale versions of the same problem: One breach exposes everything. Storing every (piece of) identity information does not increase safety. It amplifies the consequences when something goes wrong. The real takeaway is that data minimization must become a design principle, not an afterthought, because no amount of security compensates for collecting too much in the first place," he said.

Also problematic is that most identity checks depend on government-issued documents like passports, driver’s licenses or national IDs that bundle many attributes together.

“To prove a simple fact such as being over 18, a user still ends up revealing their full birth date, name, address and document numbers. None of that extra information is relevant to the service. It’s simply a side-effect of how identity documents are designed and how verification workflows, along with storage of evidence of such checks, have been built around them.”

Minimal-disclosure identity verification is a shift that could reduce massive customer data breaches, he said. “It means proving a fact, say, ‘I am over 18’ (or) ‘I live in this country,’ without revealing anything else like the birth date. Technically, this is already possible. Zero-knowledge proofs allow one party to confirm a statement without exposing underlying data. Several national digital ID programs and private sector solutions are beginning to use selective disclosure.”

If minimal disclosure had been the default, he added, the Coupang customer data breach would have exposed far less.

“Attackers would access proofs or tokens instead of raw personal data. The usability of the stolen information would be dramatically reduced as their misuse can be limited.”