President Lee Jae Myung orders punitive measures against Coupang data leak

President Lee Jae Myung attends a Cabinet meeting at the presidential office in Yongsan, Seoul, Tuesday. Yonhap

President Lee Jae Myung on Tuesday ordered a thorough investigation and punitive punishment over Coupang's recent massive customer data leak.

“The scale of the damage is massive, involving about 34 million victims, but it is truly shocking that the company failed to detect the breach for five full months after the initial incident,” the president said during a Cabinet meeting at his office in Yongsan District, Seoul.

“We must identify the cause of this accident swiftly and hold those responsible strictly accountable. I urge you to mobilize all available resources to prevent secondary crimes arising from the misuse of this leaked information.”

Expressing concerns over the recent surge in data leak cases, Lee urged the government to implement harsher penalties and effective countermeasures, referencing international standards to actualize punitive damages.

“This is also an opportunity to completely overturn the misguided practices and perceptions that trivialize the protection of personal data — a core asset in the age of AI (artificial intelligence) and digital technology,” he said.

“As we face a hyperconnected digital society, please urgently prepare and implement a new digital security framework that amounts to a paradigm shift, encompassing both the private and public sectors.”

Korea’s leading e-commerce company is facing the largest data leak in the country’s history with a breach that compromised the personal information of 33.7 million users, allegedly its entire customer base, which accounts for almost 65 percent of the country’s population.

The company confirmed that the leak was comprehensive, including names, phone numbers, email addresses, mailing addresses and order history.

The suspect behind the breach is a Chinese national who had worked for Coupang’s authentication and system access management until recently.

Coupang Corp. CEO Park Dae-jun, left, and Chief Information Security Officer Brett Matthes attend a committee hearing at the National Assembly in Seoul, Tuesday. Yonhap

Coupang Corp. CEO Park Dae-jun confirmed on Tuesday during the science and technology committee’s hearing at the National Assembly in Seoul that the prime suspect was a developer for its authentication system. When asked about the suspect’s nationality, the CEO avoided a direct answer, saying the investigation is still ongoing, while commenting that there are no confirmed cases of secondary crimes so far.

The former employee extracted customer information after leaving the company, presumably by exploiting authentication tokens and security vulnerabilities.

An authentication token acts like a temporary access pass issued after a user logs in, and a signing key is used to create and verify those tokens. The main problem is that Coupang failed to revoke or rotate this signing key even after the employee left, pointing to the underlying cause of the breach on Coupang’s poor cybersecurity management that left its system exposed.

Brett Matthes, Coupang’s chief information security officer, explained that the private signing key, the highest-level security asset, was compromised. The suspect used this stolen signing key to mint fake tokens that could be submitted to the system, allowing them to masquerade as legitimate users and access customer data.

The science and ICT ministry confirmed that it had identified that the Coupang data leak lasted from June 24 to Nov. 8, after conducting a full log analysis from July last year to this November.

Public outrage is mounting over the unprecedented breach, intensifying calls for stricter accountability and legal action against the e-commerce giant.

Rep. Na Kyung-won of the People Power Party urged the president to immediately request the Chinese government to arrest and extradite the suspect.

“Given China’s investigative capabilities and tight control, if there is the will, it should be possible to locate the key suspect and secure their custody within a single day,” she wrote on social media.

Meanwhile, consumers are moving quickly to organize collective legal action against Coupang. About 14 Coupang users filed a damages suit on Monday at Seoul Central District Court, demanding 200,000 won ($137) each in compensation.

Law firms are also gathering users to take the case to a class action suit, including SJKP Law Firm, which announced it will form a task force with tech-specialized attorneys to handle the case.

“The firm is also reviewing the extent of potential liability at Coupang’s U.S. headquarters, and the outcome of this review could significantly affect the level of fines and sanctions ultimately imposed,” SJKP said.

However, Gachon University law professor Choi Kyoung-jin noted that, beyond administrative fines, the practical remedies for civil damages are unlikely to be substantial for affected consumers.

He explained that, in practice, three main legal tools are on the table in Korea’s current system: ordinary damages claims, punitive (multiple) damages and statutory damages, and that careful consideration is needed to determine which mechanism is most appropriate for this case.

“Aside from a fine, there may not be many practical options. For consumers, pursuing (a lawsuit) for damages is likely the most realistic path,” he said.

“In that sense, the president’s emphasis on damage relief was appropriate. But the issue now is how to actually implement it. At the moment, there are three legal tools available (for consumers): ordinary damages claims, punitive damages and statutory damages. More consideration is needed to determine which of these would be the most effective to pursue.”