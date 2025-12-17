Executives defend security measures, pledge compensation amid tighter data-protection rules

A high-stakes parliamentary hearing on Coupang’s data breach opened Wednesday, with lawmakers slamming founder Bom Kim’s absence and lack of apology as a disregard for the Korean market.

Lawmakers on the National Assembly’s Science, ICT, Broadcasting and Communications Committee called the session “incomplete” without the company’s founder, who cited “official obligations as CEO of a global company operating in over 170 countries” as his reason for not attending.

“He cited his responsibilities in 170 countries, but 90 percent of Coupang’s revenue comes from Korea,” said Rep. Lee Hoon-gi of the Democratic Party of Korea. “By skipping this critical hearing, he’s abandoning the Korean market.”

Coupang CEO Harold Rogers appeared to take responsibility for the company’s Korean operations and said the company was taking the matter seriously.

“I am here as the executive in charge of Coupang Korea,” he said. “We sincerely feel strongly about the concern that we have caused. We are responding to all of our regulators here in a responsible manner.”

Rogers offered limited insight into Kim’s position, however.

“He (Kim) hasn’t told me anything about the incident,” Rogers said. “I have been reporting to him and to the board of directors about this incident and how we should respond.”

Asked directly whether Bom Kim intended to apologize for the breach, Rogers said, “I haven’t had that conversation with him.”

When asked about Park Dae-jun, Rogers confirmed that the former CEO had stepped down in response to the crisis. “My understanding is that he felt a deep responsibility for this issue and has resigned from the company. I do not expect him to be working for Coupang again.”

Regarding Coupang’s filing with the US Securities and Exchange Commission on Monday, which disclosed a cybersecurity incident involving unauthorized access to customer accounts and stated that its operations had not been “materially disrupted,” Rogers said there was no legal obligation to do so.

“In the US, the leak of data of this kind is not a violation of privacy law and does not require any information sharing with the SEC,” Rogers explained.

Security protocols were also in the spotlight.

Chief Information Security Officer Brett Matthes acknowledged that passkey-based authentication had already been deployed in Taiwan and would be introduced in Korea during the first half of 2026.

“It is very common for a multinational company to roll out a new feature into a smaller market first,” he said, noting that Coupang uses the same source code across regions, although Korea’s large user base adds complexity to deploying new features.

Matthes rejected claims that Coupang had deliberately delayed security upgrades in Korea and maintained that the recent data breach did not result in a significant compromise of login credentials or payment information.

Coupang said it is also preparing a compensation plan for affected users, but has not provided a specific timeline.

“As we learn and confirm the facts, we will be rolling out a responsible compensation plan for our customers,” Rogers said.

Separately, the National Assembly’s National Policy Committee earlier in the day approved a bill that would allow authorities to impose fines of up to 10 percent of a company’s revenue for major data breaches. Coupang Inc. reported sales of about $30.3 billion in 2024, with more than 90 percent generated from its Korean operations.