After a personal data leak occurred, Coupang notified customers of the damage and posted an apology in the name of its executives, but did not mention the word "leak." Instead, it has used terms such as "unauthorized access," "exposure," and "unapproved access." Some experts say Coupang is deliberately avoiding the word leak to minimize its legal liability related to internal controls.

According to the industry on the 2nd, Coupang has not publicly used the word leak even once since the recent personal data incident. On the 30th, while issuing an approximately 600-character apology in the name of CEO Park Dae-jun, Coupang said there had been "unauthorized access." The word leak does not appear in its notices of damage or statements of position.

Coupang CEO Park Dae-jun apologizes to users after attending an emergency inter-ministerial meeting on the Coupang personal data leak at Government Complex Seoul in Jongno-gu, Seoul, in the afternoon on the 30th last month. Left: the personal data leak notice text message sent to customers by Coupang. /Courtesy of News1

Earlier, Coupang first recognized on the 18th that data for 4,500 customers had leaked and, when it announced the facts on the 20th, it used the term "unapproved access." As follow-up investigations revealed that information on 33.7 million people had been siphoned, additional notices on the 29th and 30th said it had been confirmed as "unauthorized exposure."

At a glance, the terms may look similar. But the legal meaning and effect differ, legal experts say. Depending on which word is used, the assessment changes between a leak, in which control was completely lost due to poor management, and an exposure, in which disclosure occurred incidentally while control remained in place.

Under regulations of the Personal Information Protection Commission and the Act on Promotion of Information and Communications Network Utilization and Information Protection, "personal information leak (or outflow)" means that personal information has slipped outside the manager's control and into a state where a third party can perceive it. By contrast, "exposure" more broadly refers to data being made public without separate hacking or attack, regardless of whether control was lost.

Choi Kyung-jin, a law professor at Gachon University, said, "Outsiders view this as a leak, but Coupang recognizes it as an incident that occurred while it maintained control—in other words, an exposure," adding, "It is complicated to divide leak and exposure in binary terms, but if we must draw a line, exposure is closer to an accidental incident."

For example, if personal information is briefly made public to the general public due to a staff error during website development, that constitutes exposure. If, in the process of sending an email, the sender forgets to hide the list of all recipients and the names and email addresses of unspecified individuals are revealed, that can also be considered exposure.

The results of future investigations remain to be seen, but more weight is being given to the possibility of an insider act rather than hacking, such as an external intrusion. As indications emerge that a former employee of Chinese nationality who worked at Coupang siphoned off information over several months after leaving, the company is holding back on acknowledging that its technical and administrative measures—its controls—were inadequate.

Some interpret that while Coupang confirmed the fact of exposure, it may not have been able to determine in detail whether the data was later leaked externally. Attorney Koo Tae-eon of Lin said, "If an insider accessed the information but it is unclear whether it was leaked externally, flatly calling it a 'leak' could actually be untrue and heighten user anxiety."

Koo said, "It is comparable to a situation where an outsider entered a home and viewed documents, but it is unclear whether copies were taken outside," adding, "If someone connected to the server and issued commands to view information, but it cannot be determined whether the viewed information was transmitted externally as files, that is a position one can take at this stage."

Park Dae-jun, the CEO of Coupang, addressed criticism at a full meeting of the Science. ICT. Broadcasting. and Communications Committee at the National Assembly in Yeouido, Seoul, on the morning of the 2nd that the company used the term "exposure" rather than "leak" after the incident, saying, "It was not meant to evade any responsibility," and added, "It seems we did not think it through."

※ This article has been translated by AI. Share your feedback here.