Concerns were raised that secondary damage has already occurred in the Coupang personal data leak.

At a hearing of the Science, ICT, Broadcasting and Communications Committee on December 2, Lee Hae-min of the Reform Party said secondary damage had already occurred and sharply criticised Coupang for shrinking reality in its official explanation and public message.

Lee showed screenshots of cases shared in victim communities and pressed the company over records of attempted or actual logins from unknown devices or IPs in many user accounts.

He said he would not draw conclusions from access logs alone but said it was a different issue if most Coupang customers were seeing the same signs. He also said overseas phishing calls had been confirmed and added that secondary damage had already occurred.

Lee also criticised Coupang’s repeated use of the word exposure in its notices. He said personal data of 30 million people had been breached, yet the company was minimising the incident with a political expression. He cited Coupang’s intrusion report filed on the day of the incident and said the company recognised it internally as a breach but used exposure externally.

He also targeted the company’s formal compliance with the 24-hour and 72-hour reporting deadlines and said the law requires immediate reporting and that Coupang’s response had no effectiveness beyond meeting the deadline.

Technical and institutional gaps were also raised. Lee said Coupang, which uses the AWS Korea region, failed to manage key access rights such as API keys and authentication tokens. He cited long-term internal access to data and said the company had failed in personnel management.

He stressed that the company did not detect or block abnormal access by a former employee even though it uses multi-factor authentication. He said it was theoretically possible to block it and that failure to do so meant someone was hiding something.

He also referred to Coupang’s ISMS-P certification and said developers, not the information security team, accessed authentication keys despite access control standards. He said Coupang should acknowledge it failed to meet ISMS-P standards. He said many encryption methods exist but data had circulated widely and called it a structural failure of internal controls.

He also stressed the need for institutional reform. He said companies should bear all costs of investigation teams when fault is clear. He said he had already submitted bills to strengthen punitive damages and establish a consumer court and said penalties were needed that would alert Coupang’s management.