Seoul cyber investigators seize data, devices from ‘South Korea’s Amazon’ following data breach

South Korean police on Tuesday raided the headquarters of the country’s largest online retailer as part of an investigation into the business’ recently disclosed data breach.

Coupang, often described as the country’s version of Amazon, apologized earlier this month after confirming that the personal details of 33.7 million customer accounts had been compromised.

Cyber investigators from the Seoul Metropolitan Police Agency have now seized devices and data from the company’s headquarters in order to find evidence uncovering how the breach took place.

The police previously announced that they believed they had identified the perpetrator, described as a Chinese former employee who has since left the country, based on data voluntarily provided by Coupang.

During a parliamentary hearing last week, Coupang’s chief information security officer said the company believed the person responsible for the breach had occupied “a privileged role within the organization” and obtained a private encryption key they used to forge a token impersonating a Coupang customer, as reported by Reuters.

A police official said the newly secured digital evidence will allow investigators to “comprehensively determine the overall facts of the case, such as the leaker of the personal information as well as the route and cause of the leak,” reported Yonhap News Agency.

The raid follows political criticisms of South Korea’s data protection rules and comes in the wake of several high-profile data breaches affecting the country’s companies.

Coupang’s incident affecting 33.7 million people is one of the largest the country has ever grappled with.

Senior executives at Coupang, which is listed on the New York Stock Exchange, have also provoked investor concern after it emerged they sold shares in the company in an officially preplanned sale that completed days before the business formally disclosed the breach.

Additional scrutiny is also being applied to establish if liability clauses in Coupang’s terms of service legitimately insulate the company from any fallout over the incident, while South Korea’s trade regulator is questioning whether Coupang is using “dark patterns” to prevent customers deleting their accounts.

The data breach has become a major discussion point in South Korean politics, with President Lee Jae Myung calling for tougher penalties in corporate negligence cases when personal data was insufficiently protected. The current penalties are capped at 3% of a company’s annual global turnover.