DPK Vows to Correct Coupang's Underreporting of Data Leak Scale to U.S. Authorities
"33 Million Cases, But Only About 3,000 Disclosed"
"Fair Trade Commission: Not Grounds for Business Suspension Under the E-Commerce Act"
On the 19th, the Democratic Party of Korea announced that it would move to correct what it says is Coupang's underreporting to the U.S. Securities and Exchange Commission (SEC) of the scale of its personal data leak by a factor of about 10,000.
The Democratic Party's Committee for Protecting Small Business Owners and Livelihoods (Euljiro Committee) held a meeting of the "Correcting Coupang" task force (TF) at the National Assembly the same day and received a briefing from the government's joint investigation team, including the Ministry of Science and ICT, the Fair Trade Commission, and the Personal Information Protection Commission, on the personal data leak incident.
After the meeting, Assemblyman Kim Namgeun told reporters, "The scale of the personal data leak is 33 million cases, and Coupang Korea has to some extent acknowledged this. However, Coupang's U.S. headquarters has stated that only a little over 3,000 cases were leaked, so we decided to correct this part."
In this regard, Assemblyman Lee Hoonki said, "The filing with the U.S. SEC states that there were 3,000 cases of data leakage. That is a difference of about 10,000 times," adding, "Based only on the disclosure in the U.S., it seems there are concerns that Korea is being unduly harsh on Coupang. It seems important to ensure that the actual situation is accurately reflected."
However, rather than having the government or the National Assembly directly convey the information to the United States, the plan is to ensure that accurate details are delivered when Harold Rogers, Coupang Korea Representative, appears before the U.S. House of Representatives.
In addition, the party and the government decided to notify individuals of expected data breach damage even in cases where the person is not a Coupang member but, for example, a delivery address has been leaked.
Regarding the personal data leak incident, Coupang is expected to submit an implementation plan for preventing recurrence sometime in February. Assemblyman Kim said, "We have required the company to introduce a system that blocks abnormally issued electronic access tokens in advance, and to draw up fundamental improvement measures, as needed, for vulnerabilities discovered in penetration tests."
Furthermore, the authorities plan to refer any acts by Coupang that obstructed the investigation or downplayed the investigation results to the police for criminal investigation.
As for sanctions on Coupang, the Personal Information Protection Commission is reportedly reviewing an administrative fine, while the Fair Trade Commission is considering corrective measures. However, regarding a suspension of Coupang's business, the authorities stated that, since no cases have yet been confirmed in which data was misused by a third party, the company does not fall under the grounds for business suspension under the E-Commerce Act. On this point, Assemblyman Lee added, "In the past, SKT voluntarily suspended its business for 50 days when there had only been a data leak."
Hot Picks Today
Up to 600 Million Won for Semiconductors, 160 Million Won Bonus for Loss-Making Non-Memory… Samsung Electronics Labor and Management Reach Tentative Deal on Unprecedented Performance Compensation (Comprehensive)
- "Could I Also Receive 370 Billion Won?"... No Limit on 'Stock Manipulation Whistleblower Rewards' Starting the 26th
- "From a 70 Million Won Loss to a 350 Million Won Profit with Samsung and SK hynix"... 'Stock Jackpot' Grandfather Gains Attention
- U.S. Stocks Up 1% on War Negotiation Hopes... Will Korea Recover Recent Losses? [Good Morning Market]
- "Who Is Visiting Japan These Days?" The Once-Crowded Tourist Spots Empty Out... What's Happening?
Assemblyman Min, head of the TF's general coordination subcommittee, said in his opening remarks that day, "The attacker in the Coupang personal data leak exploited an authentication vulnerability to access accounts without a normal login," adding, "Even after the authentication system developer left the company, the signing key was not renewed, the incident was reported more than 24 hours after it was recognized, and there are even indications that access logs were deleted after a data preservation order was issued." He went on to say, "At this level, it is not only a problem with the overall security management system, but also a criminal scheme to deliberately conceal the incident."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
