Key issues that should be clarified in a parliamentary probe into Coupang's large-scale personal data breach have been set out. With personal data covering 65 percent of the population exposed to unauthorised individuals, the structural flaws in its internal control system must be identified.

On Feb. 2, the National Assembly Legislative Research Service published a report titled "Personal data breach issues related to a parliamentary probe into Coupang" and presented five key issues that should be checked if a probe is held.

According to the service, an internal token signing key meant for insider use and strict management continued to function as valid even after the person in charge left the company. The service said this suggests there may be structural flaws in companywide internal control processes.

It said the probe should closely check procedures for real-time withdrawal of access rights for departing employees, whether real-time detection and blocking systems were operating properly, and the possibility of additional similar unauthorised access.

Coupang's actions during its response to the incident are also a target of criticism. It said the decision-making structure behind its passive notification, which avoided the term "leak" despite abnormal access being confirmed for about 3,370 accounts, should be clarified.

The possibility that the leaker accessed inactive data, such as that of withdrawn members, as well as active data without significant restrictions is also expected to be an issue. The service listed whether Coupang's personal data database management method was appropriate as a key item for review.

With an investigation under way, it also called for the legitimacy of the background to Coupang independently identifying the leaker and conducting its own forensics to be clarified. It said it is necessary to check whether the government or investigative agencies have secured the same original materials as Coupang's internal investigation results.

Criticism of the compensation method is also strong. Coupang chose to provide "purchase vouchers" on the condition that victims use affiliated services, and it recommended checking whether there is a separate compensation plan for victims who do not want this or who have already left the service.

The service stressed that if the view that personal data breaches are becoming routine becomes entrenched, repeated large-scale personal data leaks could be structurally tolerated. It said a clear response is needed to block that.