Crisis Erupts in Korea, U.S. Parent Silent on Internal Controls... Coupang's Governance Under Scrutiny

After a massive leak of 33.7 million customer records at Coupang, the leading e-commerce company in South Korea, questions of responsibility are mounting for the board of directors of Coupang Inc-the company’s parent listed on the U.S. Nasdaq-and its 'owner,' Chairman Kim Bom. The controversy stems from the fact that, for several months, the company’s internal control system failed to function at all, allowing a former employee to access customer data without authorization. Furthermore, the company effectively neglected to address the situation, citing the ongoing police investigation as a reason for inaction. The governance structure, which concentrates risk management and oversight functions within the U.S. headquarters’ board and its audit committee, is being cited as the root cause.

According to industry sources and public filings as of December 2, 2025, most of Coupang’s business operations, revenue, and data are based in South Korea. Over 90% of its total revenue, its workforce of more than 90,000 employees, and its user base of over 30 million are all concentrated in Korea. Nevertheless, the highest governing body of the group, the Coupang Inc board of directors, is composed entirely of eight foreign nationals, including Chairman Kim Bom, with members from the United States, Brazil, and India.

The board’s credentials are impressive. Its members include Jason Child, Chief Financial Officer (CFO) of the U.S. semiconductor design company ARM and lead independent director; Pedro Franceschi, co-founder of the U.S. fintech company Brex; Neil Mehta, founder of Silicon Valley investment firm Greenoaks Capital; and Asha Sharma, formerly of Meta, among other executives with extensive experience in global IT, finance, and technology industries.

However, the board has remained silent in the face of what is being called the largest personal data breach in South Korean history. This has led to criticism that “the system of operating in Korea while controlling from the United States has resulted in a leadership vacuum during a crisis.”

While Coupang’s Korean entity is directly subject to the Personal Information Protection Act and bears legal liability such as penalties and fines, the key decisions regarding security system design, security investment, and risk management strategy are made at the Coupang Inc level.

Under the Coupang Inc board, there is an audit committee officially responsible for overseeing cybersecurity. The committee consists of three members: Jason Child (Chair), Benjamin Sun, and Amberin Tuvashi. Chair Jason Child is an expert in finance and risk management, having served as CFO at several global tech companies. He joined the Coupang board in April 2022 and has previously served as CFO at companies such as Splunk, a security and monitoring technology firm. Sun is co-founder of the New York-based venture capital firm Primary Venture Partners, while Tuvashi is a global tech finance and strategy expert who previously served as CFO at the U.S. collaboration platform company Airtable.

According to the audit committee’s charter, its responsibilities include overseeing internal controls, information security and personal data protection policies, data risk, whistleblower investigation processes, and enterprise risk management (ERM). The committee is tasked with reviewing cyber policies and incident response plans established by management, and regularly meeting with the Chief Information Security Officer (CISO) to receive updates on threat situations.

Despite these measures, in the recent breach, a former employee’s account remained active and unmonitored for over a month, and large-scale access attempts from overseas IP addresses went undetected. The breach continued for five months without any indication that the alert system functioned properly. There are concerns that basic controls such as account and access management, as well as anomaly detection, systematically failed. Since the Coupang Inc board is the ultimate authority responsible for designing group-level security systems and overseeing risk, criticism is being directed at the board itself.

Recently, in the United States and Europe, cybersecurity and personal data protection have become core governance issues at the board level, as companies increasingly face regulatory sanctions and shareholder lawsuits. Patrick Niemann, leader of EY Americas Board Advisory Center, noted, “For companies with large-scale data infrastructure, the degree to which the board proactively oversees technology risks such as AI and cybersecurity is directly linked to corporate trust. Without proper personal data protection principles, a single incident can shake the entire company.”

Notably, Kim Bom, who serves as both chairman and CEO of Coupang Inc, has yet to make any official statement regarding the incident. Kim stepped down as chairman and registered director of Coupang’s Korean entity in 2021, but continues to hold the chairmanship at Coupang Inc. He also controls 74.3% of the voting rights, effectively holding ultimate authority over the Korean entity.

Kim is also the public face of the company, directly presenting future business strategies and earnings forecasts to investors during quarterly earnings conference calls. This has led to the observation that “the true head of Coupang is not the Korean entity, but Kim Bom at the U.S. headquarters.”

However, critics point out that Kim consistently steps back whenever a crisis occurs. In this incident, it was Park Daejun, the head of the Korean entity, who bowed and issued a public apology. During last year’s National Assembly audit, Kim was summoned as a witness but did not attend, citing his stay overseas. He was also excluded from the Fair Trade Commission’s designation of major conglomerate owners. In effect, Kim is exempt from the level of legal responsibility and disclosure obligations that domestic conglomerate owners typically bear.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.