Coupang disclosed to the U.S. Securities and Exchange Commission (SEC) its internal investigation results and consumer compensation plan related to the large-scale personal information leak. But because it did not mention that the announcement was made unilaterally without coordination with the Korean government, controversy is growing over a "shoddy disclosure" that omits information unfavorable to investors.
On the 29th (local time), Coupang, in a report submitted to the SEC, provided follow-up investigation findings and a customer compensation program related to the cybersecurity incident disclosed on the 16th. Coupang said, "So far, the investigation found that the perpetrator accessed about 33 million accounts but actually stored only about 3,000 pieces of data, and that data was deleted without being shared with third parties."
This matches the internal investigation results Coupang released on the 25th in Korea. But after that announcement, the Korean government immediately pushed back and expressed regret. The Ministry of Science and ICT drew a line, saying, "The contents released by Coupang have not been verified by the public-private joint investigation team." The Seoul Metropolitan Police Agency also said, "We are analyzing evidence such as the statement and laptop submitted by Coupang. We will closely check the facts," stressing that the investigation is underway and issues remain to be verified.
However, Coupang said in the filing that the overall investigation process proceeded at the government's request and under its direction. Coupang wrote that the government requested full cooperation from Coupang on the 1st of this month and delivered an official written notice on the 2nd. It said that in the following weeks, Coupang worked with the government almost daily to track and contact the leaker and acted under government instructions in securing a confession, retrieving related devices, and obtaining forensic materials.
On the "self-investigation" controversy, it said, "The probe was conducted over several weeks under the government's direction. Continuing false reports that Coupang carried out the investigation without government oversight are creating unfounded anxiety."
The government countered Coupang's position again at a joint hearing held at the National Assembly on the 30th. Deputy Prime Minister and Minister Bae Kyung-hoon of the Ministry of Science and ICT said, "More than 33 million names and emails were leaked, and the Personal Information Protection Commission, the Korean National Police Agency, and the public-private joint investigation team confirmed this." He added, "We want to express serious concern that Coupang released results that were not agreed upon in advance. We believe there is a highly malicious intent."
The filing also stated regarding consumer compensation that "we are pursuing a compensation plan to provide coupons worth about 1.685 trillion won (about $1.2 billion) to customers who received a data breach notice at the end of November." Coupang said the coupons would be applied by deducting from the sales price and revenue for each transaction.
The compensation plan Coupang released the previous day consists of coupons for all Coupang products including Rocket Delivery, Rocket Direct Purchase, Rocket for Sellers, and Marketplace (5,000 won), Coupang Eats (5,000 won), Coupang Travel products (20,000 won), and R.LUX products (20,000 won). But it drew criticism because the compensation amount for Coupang and Coupang Eats, which customers use most, is only 10,000 won, with the remaining 40,000 won allocated to separate Coupang services.
Harold Rogers, Coupang's interim representative, when asked by Democratic Party of Korea lawmaker Kim Hyun-jung at the hearing whether there were plans for a more aggressive compensation plan, answered, "The compensation plan we presented amounts to 1.7 trillion won. This is unprecedented."