ED Coupang founder should be held responsible for data breach

E-commerce leader Coupang's headquarters in Seoul, Sunday. Yonhap

Bom Kim, the founder of the e-commerce giant Coupang, should take full responsibility for the chaos caused by the theft of personal data belonging to 33.7 million customers.

There were no security measures in place to prevent outsiders, including former employees, from accessing the company’s systems, which led to operational disruptions. The data thief, a Chinese national and former Coupang employee, was reportedly a software engineer who did not have authorized access to Coupang’s customer database, yet still managed to steal customer data after he left the company. Such ease of access for a former employee highlights Coupang’s poor handling of customer information.

As Korea’s undisputed e-commerce leader with 32 million monthly active users, Coupang now faces rising public anxiety over the potential fallout from the stolen data. Some customers are already organizing a class-action lawsuit against the company.

There is little doubt that Coupang bears primary responsibility for the incident. The consequences are disastrous and the massive data breach has thrown the nation into chaos.

Coupang announced Saturday that personal data belonging to nearly 33.7 million customers had been stolen. The information stolen includes customer names, emails, mailing addresses, phone numbers and order histories.

Coupang said it immediately reported the incident to the Personal Information Protection Commission, the police and the Korea Internet and Security Agency, after discovering that an unauthorized outsider based overseas had gained access to its system.

The scale of the breach is unprecedented, far exceeding the SKT data leak in which the personal information of approximately 27 million subscribers was compromised.

According to Coupang, the breach began on June 24 through servers located abroad. The company initially estimated that around 4,500 individuals had been affected, but that number surged to 34 million more than a week later, after Coupang teamed up with law enforcement and cybersecurity authorities to investigate the data breach.

This breach is unusual in terms of its suspected perpetrator. While incidents involving SKT, KT and major retail companies have typically been attributed to professional hacking groups, Coupang has identified a former employee — a Chinese national who has since left Korea — as the primary suspect. The company did not release the individual’s name.

There are several issues that must be thoroughly reviewed to determine what went wrong in Korea’s private sector, which has suffered a surge of cyberattacks and data breaches in recent years. Reflection is essential for both private and public entities to prevent similar cybersecurity incidents.

The series of massive data breaches shows that Korea’s digital borders are porous and its cybersecurity capabilities remain lamentably weak. It also highlights how both sectors are struggling to keep pace with rapidly advancing digital technologies.

The KT data breach, for instance, illustrates how quickly cyber criminals' methodologies evolve — often faster than the general public and even major companies can adapt. In that case, Chinese hackers used unauthorized femtocell base stations to intercept 368 KT customers' payment information and carry out unauthorized transactions totaling 243,190,000 won ($165,435). Their sophisticated techniques exposed critical weaknesses in telecommunications-based authentication systems.

Another issue Korean policymakers must confront is the motive behind malicious cyber activities. As seen in the rise of ransomware attacks worldwide, many cybercriminals steal data primarily for financial gain. They encrypt victims’ files or lock their systems, demanding payment in exchange for restoring access.

However, several recent data breaches — including those involving Coupang and SKT — do not appear to be financially driven. This raises a pressing question: What are the attackers’ motives?

Policymakers need to urgently investigate this. When the perpetrators are foreign nationals or foreign entities, it is crucial to determine whether they are acting independently or as part of state-sponsored operations. If state involvement is confirmed, the motive becomes clear: foreign interference. Otherwise, why would foreign governments target private sector systems that form part of another nation’s key infrastructure or supply chain?

In the digital era, a nation’s sovereignty is no longer defined solely by its land, sea and air borders. Digital borders matter just as much — and the government must do everything in its power to defend them from foreign intrusion.