Coupang’s personal data leak escalated into claims of a structural security failure tied to insider privileged access, prompting parliament to warn it may call a hearing. Lawmakers from both parties voiced strong dissatisfaction after the company refused to submit key security documents, citing trade secrets, including ISMS findings and records of access revocation for former employees.

At a National Assembly committee session on science, ICT and broadcasting on Dec. 2, Representative Lee Jun-seok of the People Power Party questioned Coupang Chief Information Security Officer Bratt Mattis on the structural cause of the leak and the possibility of insider involvement.

Lee said the company must determine whether the employee sought data theft or full system compromise. He criticised the technical documents submitted by Coupang as vague. He reviewed the nature of the private signing key that Coupang identified as central to the attack and said the fact that a key used to authenticate customer logins was exposed indicated access limited to high-level developers.

Mattis said the leaked item was a private key used to sign tokens issued after customer login. He said there was no indication that passwords, hashes or other customer credentials had been taken. He added that the employee held a privileged role that allowed access to the key, effectively acknowledging the possibility of insider privileged access.

When Lee asked whether the employee once had lower-level access to databases or raw data, Mattis said police had asked him not to disclose information that could lead to identifying an individual. Lee objected strongly, saying the question concerned on-duty access rights and did not require invoking the police.

Security experts also raised concerns. Kim Seung-joo, a Korea University professor, said ISMS rules require the revocation of access rights for former employees and that the incident occurred because Coupang did not follow the requirement. He said the company should review its authentication key and access-control systems.

Lawmakers also raised concerns about additional exposure. Lee said that if the private signing key enabled external API access for five months, other data beyond emails, addresses and phone numbers might also have been leaked. Mattis said there was no sign of access outside the relevant API and said there was no indication that passwords, hashes or original database data had been taken.

Parliament also pressed the company over missing security documents. Coupang did not submit several items, including ISMS and ISMS-P findings, records of access revocation for former employees for the past three years, API and signing-key management rules, security controls for foreign developers by nationality and work location, VDI, DLP and UEBA logs, and the status of development and test servers using actual customer data.

Committee Chair Choi Min-hee said that if document submission continues to be refused, the committee will begin hearing procedures and will summon Chairman Kim Beom-seok and former and current executives as witnesses if necessary.