{"id":6313,"date":"2025-12-23T12:29:43","date_gmt":"2025-12-23T12:29:43","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6313"},"modified":"2025-12-23T12:29:43","modified_gmt":"2025-12-23T12:29:43","slug":"south-korean-firm-hit-with-us-investor-lawsuit-over-data-breach-disclosure-failures","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6313","title":{"rendered":"South Korean firm hit with US investor lawsuit over data breach disclosure failures"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A US federal securities class action lawsuit has alleged that South Korean ecommerce giant Coupang took nearly a month to disclose a massive data breach to regulators, violating SEC rules that require companies to report material cybersecurity incidents within four business days.<\/p>\n

The lawsuit<\/a>, filed December 18, came just two days after Coupang finally submitted a Form 8-K disclosure to the Securities and Exchange Commission \u2014 28 days after discovering the breach on November 18.<\/p>\n

The complaint alleges that CEO Bom Kim and CFO Gaurav Anand knew or recklessly disregarded that the company had \u201cinadequate cybersecurity protocols\u201d allowing a former employee to access customer data for nearly six months without detection. The breach exposed personal information from 33.7 million customer accounts, Coupang said.<\/p>\n

Disclosure deadline missed<\/h2>\n

The SEC adopted cybersecurity disclosure rules in July 2023, requiring companies to disclose material incidents within four business days of determining materiality, under item 1.05 of Form 8-K. Companies can delay disclosure only if the US Attorney General determines it poses substantial national security or public safety risks.<\/p>\n

The complaint<\/a> alleges that Coupang did not receive such an exemption. The company should have filed by November 24, following its November 18 discovery of the breach, but waited until December 16.<\/p>\n

Between discovery and disclosure, media reports prompted organizational upheaval. Park Dae-jun, CEO of Coupang\u2019s South Korean operations, resigned December 10<\/a> after stating he would \u201ctake full responsibility for both the incident and the handling of the case.\u201d Harold Rogers, Coupang\u2019s general counsel and chief administrative officer, assumed the role of interim CEO of the Korean subsidiary.<\/p>\n

Coupang founder and CEO Bom Kim declined to appear at a South Korean parliamentary hearing<\/a> about the breach, citing business obligations \u2014 a decision lawmakers condemned as a \u201csystematic evasion of corporate responsibility.\u201d<\/p>\n

Authentication keys left unrevoked after employee departure<\/h2>\n

Investigators traced the breach to a former employee who retained valid authentication credentials after leaving the company in 2024, according to statements by South Korean lawmaker Choi Min-hee<\/a>. The individual, a 43-year-old Chinese national, had worked on authentication management systems and joined Coupang in November 2022.<\/p>\n

Rep. Choi Min-hee, chair of the National Assembly\u2019s Science, ICT, Broadcasting and Communications Committee, released analysis results in a November 30 press release<\/a> pointing to failures in basic security procedures. The company failed to renew or revoke signing keys \u2014 the cryptographic credentials used to issue access tokens\u2014when the employee left.<\/p>\n

\u201cAbandoning a long-term valid authentication key was not simply a deviation by an internal employee, but the result of organizational and structural problems at Coupang that neglected the authentication system,\u201d Choi said in the press release.<\/p>\n

Coupang\u2019s own information to lawmakers indicated the company set token signing key validity periods of five to ten years, with rotation periods varying by key type.<\/p>\n

Legal test case for SEC cybersecurity rules<\/h2>\n

Legal observers noted the Coupang lawsuit appears to be among the first securities class actions directly challenging compliance with the SEC\u2019s 2023 cybersecurity disclosure guidelines.<\/p>\n

\u201cThis is a specific reason why I find the new Coupang lawsuit particularly interesting, and that is because one of the suit\u2019s major allegations is that the company allegedly failed to make the requisite disclosures under the SEC\u2019s cybersecurity disclosure guidelines,\u201d legal journal, The D&O Diary, wrote in an analysis of the case<\/a>.<\/p>\n

The complaint also alleges Coupang made materially false statements in quarterly reports filed in August and November 2025. Those reports incorporated risk disclosures from the company\u2019s 2024 Annual Report detailing encryption technology and security measures \u2014 statements the complaint said \u201cmaterially understated Coupang\u2019s risk of a material cybersecurity event.\u201d<\/p>\n

When Coupang finally filed its Form 8-K<\/a>, the company stated it had activated incident response procedures, blocked unauthorized access, and reported the incident to Korean authorities. The filing acknowledged Korean regulators \u201cwill potentially impose financial penalties\u201d but said the company could not reasonably estimate losses.<\/p>\n

Regulatory scrutiny in South Korea<\/h2>\n

In South Korea, Coupang faces potential fines up to 1.2 trillion won ($814 million) under the Personal Information Protection Act, which requires companies to notify regulators within 24 hours of discovering a breach and maintain appropriate safeguards.<\/p>\n

South Korean police raided Coupang\u2019s Seoul headquarters twice as part of their investigation. President Lee Jae Myung called for expanded class action lawsuit provisions<\/a>, saying \u201cevery Korean has been affected\u201d by the breach affecting nearly two-thirds of the country\u2019s 51.7 million population.<\/p>\n

The lawsuit seeks to establish a class of investors who purchased Coupang securities between August 6 and December 16. Multiple law firms have announced they are investigating similar claims. A case management conference is scheduled for March 20.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A US federal securities class action lawsuit has alleged that South Korean ecommerce giant Coupang took nearly a month to disclose a massive data breach to regulators, violating SEC rules that require companies to report material cybersecurity incidents within four business days. The lawsuit, filed December 18, came just two days after Coupang finally submitted […]<\/p>\n","protected":false},"author":0,"featured_media":6314,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6313","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6313"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6313"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6313\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6314"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}