Korea’s Coupang promotes passkeys in Taiwan, faces possible $1bn fine for data leak

Coupang wants to grow the adoption of passkeys in Taiwan, viewing the market as a strategic hub, even as it stares down the prospect of a $1 billion fine over data leaks.

The Korean company has been actively promoting passkeys in Taiwan, with the biometric-enabled authentication method seen as more secure than traditional passwords. Coupang independently developed and distributed a passkey technology, which fulfils global standards, in Taiwan, according to a Chosun Biz report.

It received recognition by Taiwan officials while Coupang targets growth in the market, which it entered in 2022. Bom Kim, founder and chair of Coupang, is responsible for the company’s overseas operations and wants to grow the Taiwan business into a “second Korea.” Kim said in early November that the company “solidified its conviction in the long-term potential of the Taiwan market.”

Coupang is South Korea’s dominant e-commerce platform, but it faces a series of criminal and civil lawsuits including for alleged corporate negligence in a huge data theft allegedly undertaken by a previous employee who has left the country. The company’s CEO and most senior security officer have been questioned by politicians at a plenary meeting this week in Seoul.

Coupang admits customer names, email addresses, mobile numbers, shipping addresses and order histories were stolen. But says that credit card numbers, login credentials and payment details have not been compromised.

Under South Korea’s Personal Information Protection Act, which was toughened up two years ago, Coupang could receive a fine of up to three percent of annual revenue for violating data protection regulations. Since the company reported revenue of $9.27 billion in the quarter ended September — bringing its 12-month revenue (so far) to $33.66 billion — this could result in fines exceeding $1 billion, as reported by AJP news agency.

The same news agency reports that Coupang’s internal investigation suggests a former employee, who is believed to be a Chinese national who left the company and then Korea, could be responsible for the data leak. The suspect is believed to have emailed customers pictures of their phone numbers and purchase histories with the message “I know your personal information,” which set off the complaints that triggered Coupang’s internal probe.

The data breach may have occurred due to access to outdated authentication keys, which should have been deleted or updated when the employee left Coupang. Representative Choi Min-hee, chair of South Korea’s National Assembly’s Committee on Science, ICT, Broadcasting and Communications, highlighted potential failings on the company’s part.

“Signature key renewal is the most basic internal security procedure, yet Coupang failed to follow it,” Choi said. “This is not simply an employee’s misconduct but the result of deep organizational failings.”

From “4,500” affected to over 30 million and a parliamentary hearing

While Coupang reported 4,500 affected customers when it informed the Korea Internet and Security Agency on November 20, investigators later discovered the number of affected is actually 33.7 million over a period from June to November.

Coupang CEO Daejun Park and Brett Mattis, Chief Information Security Officer (CISO) of Coupang, have been questioned by lawmakers at a National Assembly inquiry into the incident.  In response to a question on whether Coupang chairman and founder Kim would issue an apology over the incident, Park said: “This incident occurred within the Korean corporation and under my responsibility, so I am the one offering an apology.”

“As the CEO of the Korean corporation, I will take full responsibility and do my utmost to resolve the situation,” Park continued. The CEO did not clarify if the suspected attacker was a single individual or multiple people, choosing not to comment further as he cited an “ongoing investigation.”

When asked about the suspected former employee’s job role, Park said the employee in question had their access rights revoked after resignation. “There are no developers who work alone,” he added. “Development teams are made up of multiple members, each with different roles. The former Chinese employee was not responsible for authentication, but was a developer who developed the authentication system, Park said in the inquiry.

South Korea’s Personal Information Protection Commission (PIPC) has ordered Coupang to correct and reissue its user notifications, reports Maeil Business. At an emergency meeting on December 3rd, the commission criticized Coupang for downplaying the incident by labeling it as “exposure” rather than a confirmed leak, posting notices for only a short period, and omitting key details such as leaked common entrance passwords.

The PIPC directed Coupang to properly notify affected users, disclose future leaks promptly via its website or pop-ups, and provide clear guidance such as changing account and shared door passwords. Coupang must also strengthen monitoring, expand its response team and report back within seven days.

The commission emphasized the seriousness of leaked contact and address data and vowed to investigate the scale, causes and potential violations of safety obligations, warning of strict sanctions if breaches are confirmed.

The PIPC is currently engaged in a three-month campaign to intensify monitoring of personal data leaks and illegal distribution online, including on the dark web, while promoting public education on damage prevention.

Large-scale leak casts significant shadow

The Coupang leak has cast a shadow over the Korean public as it affected so many people in the country. Coupang can be considered the Amazon of South Korea, as it’s the country’s biggest ecommerce platform and the leak has affected nearly every user of the platform.

Coupang failed to notice the breach for almost five months, a lengthy period of unauthorized access. However, security experts observe that unlike other data attacks, which often occur externally, an insider with legitimate access is far harder to sanction.

The suspect was in possession of an authentication token — a digital key — that enables system access. If this token is not invalidated following an employee’s departure, it would allow for remote entry even without full login credentials.

In an explainer article in The Investor, Kim Yong-dae, a professor at KAIST’s Graduate School of Information Security, says this is not a system failure. “Even in companies with strong safety measures, privilege-management failure can lead to a massive leak.”

The professor’s comments echo those of security experts who highlight rogue employees — staff and insiders who have legitimate access, and, for whatever reason, become bad actors. In Coupang’s case, human error in not deleting the authentication token, or not renewing it, could have led to the prolonged exposure.

However, the explainer notes that Korean firms, on the whole, spend relatively little on cybersecurity compared to Western companies such as Amazon. The U.S. e-commerce giant is estimated to have spent around one percent of its 2023 revenue on security (about $6-8 billion annually). Although Coupang is one of the biggest spenders on IT in Korea, its security budget is only around 0.2 percent of the company’s revenue.

Gartner has recommended that companies who handle data as a major asset should commit around 10 percent of their IT budgets to security. Other experts believe Korea’s security is overly dependent on certification-based compliance (“ticking boxes” to meet regulatory requirements) while real accountability is lacking, and that a shift to penalty-based regulation is needed.

Article Topics

biometric authentication  |  biometrics  |  ecommerce  |  FIDO2  |  passkeys  |  passwordless authentication  |  South Korea