koreajoongangdaily.joins.com
BY LEE YOUNG-KEUN, KIM JI-HYE

The former Coupang employee accused of leaking 33.7 million customer data had worked at the company for just two years, according to police on Thursday.

According to the Seoul Metropolitan Police Agency and sources familiar with the case who spoke to the JoongAng Ilbo, the suspect in the data breach — identified as a 43-year-old developer and Chinese national — was affiliated with Coupang's Seoul office. The person joined Coupang in November 2022 and was assigned to work on a key management security system before leaving the company late last year.

It’s difficult to understand from a common sense perspective why a newly hired developer with foreign nationality would be given access to sensitive customer information — especially in today’s security-conscious corporate environment,” said an industry source. “Given that such duties typically require strict security training and pledges, it raises questions about whether the company’s protocols were adequate.”

Coupang disclosed on Nov. 29 that approximately 37.7 million customer accounts had been exposed. The compromised data includes names, email addresses, saved delivery addresses, partial order histories and, in some cases, access codes for shared building entrances.

Due to the massive scale of the breach, police have been raiding Coupang’s headquarters in Songpa District, southern Seoul, for three consecutive days since Tuesday. Thursday's raid began around 9:40 a.m. Investigators are focused on securing records that can explain how the suspect allegedly gained access to Coupang’s security system and extracted the data. These include internal documents, work logs and system records related to the key management platform the suspect worked on during the employment period.

Police are also analyzing logs stored in the company’s security system, such as IP addresses, user credentials and access histories.

Coupang filed a criminal complaint with police on Nov. 25 regarding the leak. The police initially began an investigation based on documents submitted voluntarily by the company, but launched a compulsory search starting Tuesday. Investigators plan to trace the suspect’s methods and movements using the evidence collected in the raid. If Coupang’s negligence or legal violations are uncovered in the process, the company — currently treated as the victim — and employees responsible for handling personal information may also become subjects of investigation.

Meanwhile, the number of phishing scams linked to the Coupang breach has surged in recent days. According to Democratic Party lawmaker Lee Jeong-heon of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, police received 229 phishing reports between Nov. 30 and Tuesday.

Most reports involved scams impersonating Coupang and offering fake compensation or claiming to be sending deliveries. Other familiar tactics, such as fake product review programs or phony prize announcements, were also used — many of which predate the breach.

“This incident is raising serious concerns over secondary damage such as phishing crimes,” Lee said. “Coupang and Executive Chairman Kim Bom must stop hiding behind silence and urgently take responsibility with transparent disclosure and a comprehensive compensation plan.”