The Taiwanese government has announced plans to pursue legal action after an administrative investigation into Coupang's large-scale personal data leak uncovered management failures.
On the 26th, the Administration for Digital Industries under the Ministry of Digital Affairs announced via a public notice that an investigative team composed of legal and information security experts, the Criminal Investigation Bureau, and the National Institute of Cyber Security had conducted an administrative inspection of Coupang's Taiwan subsidiary the previous day, and found deficiencies in its personal data management system.
The authorities stated, "In accordance with the Personal Data Protection Act and relevant regulations such as the Security Maintenance Regulations for the Protection of Personal Data Files for the Digital Economy Industry, we will continue forensic analysis and additional investigations," adding, "Based on the investigation results, we will proceed with follow-up measures in accordance with statutory procedures."
According to the investigation, the attacker, a former employee of Coupang's Korean entity, accessed the personal data of 204,552 Coupang Taiwan users using more than 2,000 different IP addresses. The leaked data included names, email addresses, phone numbers, shipping addresses, and some order histories.
In particular, the Taiwanese authorities noted that Coupang had previously explained that the user databases (DBs) in Korea and Taiwan were separated, but the investigation confirmed that in practice the backup keys for the different DBs were identical, making cross-access possible.
The Taiwanese government demanded an explanation from Coupang and checked whether Taiwanese users had been affected immediately after the personal data leak occurred in November last year. At that time, Coupang stated in a public announcement that no evidence had been found of a leak of Taiwanese consumer personal data.
Even afterward, the authorities conducted an on-site administrative inspection on December 24 last year. However, Coupang repeatedly maintained that a security firm was still investigating and that there was no evidence proving damage to Taiwanese users. According to the Taiwanese side, this explanation remained unchanged on January 12 and 26 this year, as well as through the 9th of this month.
However, the investigation results announced by the Korean government on the 10th of this month included the fact that in an email the attacker sent to Coupang's Korean entity in November last year, he stated that users in Korea, Japan, and Taiwan had all been affected by the leak. Coupang's Taiwan subsidiary did not officially notify the Taiwanese authorities of the leak until about ten days later, on the 23rd of this month.
Earlier, on the 25th, Coupang Inc., Coupang's parent company, announced that approximately 200,000 of the accounts that the former employee had accessed without authorization were identified as being based in Taiwan. As a result, the leak of Taiwanese customer information came to light belatedly. The Administration for Digital Industries in Taiwan has announced that it will carry out an administrative inspection and take legal action.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
