E-commerce giant Coupang is refuting allegations made in parliament that a suspect connected to its recent data breach attempted to extort the company. The alleged extortion involved threats to expose the private data of thousands of customers.
In a statement released Thursday, Coupang addressed claims that the data breach suspect compiled a list of approximately 3,000 customers who had purchased adult products. The company stated that the suspect allegedly attempted to blackmail Coupang for money using this sensitive information, but Coupang asserts that these claims are unfounded.
“Neither the findings of the recent joint public-private investigation nor the suspect’s emails indicate that any payment was demanded,” the company stated. “It is unfortunate that inaccurate claims were raised during parliamentary questioning.”
These claims were initially raised by Rep. Kim Seung-won of the Democratic Party of Korea during a parliamentary session on Thursday. Rep. Kim expressed concern that “a vast amount of our people’s personal information is being exploited by criminal groups,” and called for stronger measures to prevent further harm.
The parliamentary session also touched upon an upcoming US House Judiciary Committee hearing involving Coupang’s interim CEO, Harold Rogers. This hearing is part of an investigation into alleged discriminatory targeting of American companies by Korea. Prime Minister Kim Min-seok responded by stating that relevant agencies are providing factual information to US authorities to prevent any misunderstandings regarding the matter.
Tensions have been present between Korean authorities and Coupang regarding the scope and impact of the data breach itself.
On Tuesday, the Ministry of Science and ICT reported that 33.67 million user records, including names and email addresses, were exposed through Coupang’s account information system. Additionally, the delivery address page was reportedly accessed over 148 million times.
Coupang has challenged these figures, arguing that webpage access numbers should not be equated with confirmed data leakage. The company described the activity as attempts to gather information rather than a direct data extraction. Coupang previously stated that data from only approximately 3,000 accounts were stored, even though information connected to more than 33 million accounts was accessed.
Coupang also argued that the investigation report failed to acknowledge that access to building entrance codes, reported at over 50,000 instances, was limited to 2,609 accounts.
The company reiterated that the former employee involved in the case did not access highly sensitive customer information, such as payment details, passwords, or government-issued identification documents.
Addressing concerns about potential secondary harm, Coupang stated that cybersecurity firms are continuously monitoring dark web marketplaces, encrypted messaging services, and other platforms. “No evidence of secondary misuse of leaked customer information has been detected,” the company concluded.
