Harold Rogers, Coupang's interim CEO, said on the 17th that although all access privileges were withdrawn when the former employee identified as a suspect in the personal information leak case left the company, the individual siphoned off information and ultimately caused harm to the people of Korea.
Rogers appeared at a National Assembly Science. ICT. Broadcasting. and Communications Committee hearing that day and said, "We are working closely with police to secure the individual and are doing our best to ensure appropriate punishment." He added, "Immediately after recognizing the incident, we completely revoked the signing keys to make any further activity impossible."
Brett Mathis, Coupang's chief information security officer (CISO), said, "The employee illicitly took the keys that had been assigned to them while still employed," and explained, "All system access was blocked upon departure, but the person had already used the stolen keys to generate access tokens." He added, "Through this, the person could masquerade as a customer and access personal information."
Meanwhile, Coupang Inc. submitted an 8-K report to the U.S. Securities and Exchange Commission (SEC) on the 16th (local time) titled "Item 1.05. Material cybersecurity incident." An 8-K is a disclosure that corporations file to promptly notify investors and stakeholders when a material change occurs.
Under SEC rules, a material cybersecurity incident must be disclosed within four business days of its occurrence. In response to criticism that failing to report this incident immediately violated the rules, Rogers said, "Under the U.S. legal framework for personal data protection, the types of information that were leaked are not subject to mandatory reporting."
He added, "There was no disclosure obligation under U.S. law, but given the continued public attention to the matter, we made an official disclosure to the SEC today."