Park Dae-jun, the Coupang CEO, on the 2nd said of the former Chinese employee identified as a suspect in the leak of 33.7 million pieces of personal information, "They were not an employee handling authentication operations but a developer who built the authentication system. Their privileges were revoked after leaving the company." The remarks appear to deny allegations that the incident stemmed from poor management of authentication keys by an internal developer and retained access rights for a departed employee.
Park, during a question-and-answer session on pending issues at the National Assembly's Science. ICT. Broadcasting. and Communications Committee, answered a question from Shin Sung-beom of the People Power Party about the departed employee's job role and history by saying, "There is no developer who works alone. A development team is composed of multiple members with various roles," and gave this response.
When Noh Jong-myeon of the Democratic Party of Korea asked whether the attacker was singular or plural, Park said, "At this stage, it is difficult to determine whether it is a single person or multiple people." Park added, "We are tracking (the whereabouts of the person presumed to be a suspect in this incident) by transparently sharing verified materials with the police and the government," and said, "I cannot comment because the police are currently investigating."
Bret Mattis, Coupang's chief information security officer (CISO), promised measures to prevent a recurrence. "Once this investigation is complete, we will work with the Korea Internet & Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the Ministry of Science and ICT (MSIT) to significantly strengthen our security framework," he said. "Coupang has worked to maintain a robust security system, but threat actors continually look for vulnerabilities. In response, we will keep learning and increasing our response capabilities," he said.