Authentication keys left unrevoked after employee departure: Investigators traced the breach to a former employee who retained valid authentication credentials after leaving the company in 2024, according to statements by South Korean lawmaker Choi Min-hee. The individual, a 43-year-old Chinese national, had worked on authentication management systems and joined Coupang in November 2022.Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, released analysis results in a November 30 press release pointing to failures in basic security procedures. The company failed to renew or revoke signing keys, the cryptographic credentials used to issue access tokens”, when the employee left.”Abandoning a long-term valid authentication key was not simply a deviation by an internal employee, but the result of organizational and structural problems at Coupang that neglected the authentication system,” Choi said in the press release.Coupang’s own information to lawmakers indicated the company set token signing key validity periods of five to ten years, with rotation periods varying by key type.
Legal test case for SEC cybersecurity rules: Legal observers noted the Coupang lawsuit appears to be among the first securities class actions directly challenging compliance with the SEC’s 2023 cybersecurity disclosure guidelines.”This is a specific reason why I find the new Coupang lawsuit particularly interesting, and that is because one of the suit’s major allegations is that the company allegedly failed to make the requisite disclosures under the SEC’s cybersecurity disclosure guidelines,” legal journal, The D&O Diary, wrote in an analysis of the case.The complaint also alleges Coupang made materially false statements in quarterly reports filed in August and November 2025. Those reports incorporated risk disclosures from the company’s 2024 Annual Report detailing encryption technology and security measures, statements the complaint said “materially understated Coupang’s risk of a material cybersecurity event.”When Coupang finally filed its Form 8-K, the company stated it had activated incident response procedures, blocked unauthorized access, and reported the incident to Korean authorities. The filing acknowledged Korean regulators “will potentially impose financial penalties” but said the company could not reasonably estimate losses.
Regulatory scrutiny in South Korea: In South Korea, Coupang faces potential fines up to 1.2 trillion won ($814 million) under the Personal Information Protection Act, which requires companies to notify regulators within 24 hours of discovering a breach and maintain appropriate safeguards.South Korean police raided Coupang’s Seoul headquarters twice as part of their investigation. President Lee Jae Myung called for expanded class action lawsuit provisions, saying “every Korean has been affected” by the breach affecting nearly two-thirds of the country’s 51.7 million population.The lawsuit seeks to establish a class of investors who purchased Coupang securities between August 6 and December 16. Multiple law firms have announced they are investigating similar claims. A case management conference is scheduled for March 20.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4111091/south-korean-firm-hit-with-us-investor-lawsuit-over-data-breach-disclosure-failures.html
