With a crisis unfolding at e-commerce giant Coupang, we sat down with Malik Haidar, a veteran cybersecurity expert who has spent his career on the front lines of digital defense for multinational corporations. The Coupang incident, which saw a data breach balloon from a few thousand accounts to over 33 million, has become a case study in corporate crisis management, or mismanagement. We explored the technical failures behind the staggering numbers, the strategic implications of the sudden leadership change, and the subtle but deeply damaging ways a company’s legal maneuvering can shatter customer trust more than the breach itself.
The scale of the Coupang breach exploded from an initial report of 4,500 accounts to a staggering 33.7 million. From your experience, could you walk us through the kind of cascading failures that typically lead to such a monumental miscalculation in the heat of a crisis?
A jump of that magnitude is almost never a simple counting error; it’s a symptom of a fundamentally broken incident response process. What we often see is a “patient zero” scenario. The initial 4,500 accounts were likely the first discovery—perhaps a single, isolated database or server they thought they had contained. The failure comes from a lack of visibility. They didn’t understand how their systems were interconnected. Maybe the attackers used those first accounts to pivot, moving laterally across the network to a much larger, more critical database, and the security team was a step behind the whole time. It also signals a severe breakdown between the technical teams and the executive and legal teams. There is immense pressure to release a number quickly, to “control the narrative,” but that often leads to releasing the wrong number. This isn’t just a correction; it’s an admission that in the critical first hours, they had no real grasp of the situation.
Following this revelation, the CEO resigned and was replaced by Harold Rogers, the US-based general counsel. What does installing a lawyer, rather than a technologist or a new CEO from within the local market, signal about the parent company’s priorities right now?
It’s a very deliberate and telling move. Bringing in the chief legal officer from the US parent company means the primary focus has shifted from operational recovery to damage control—specifically, legal and financial liability. The parent company is thinking about regulators, potential class-action lawsuits, and reassuring investors. Rogers isn’t there to fix the servers; he’s there to fix the company’s legal and reputational standing. To genuinely restore trust, his priorities must go beyond legal statements. He needs to fund a complete overhaul of their security architecture and, more importantly, be radically transparent with the public about what happened. He should also simplify that convoluted account deletion process immediately. Actions like that speak much louder than any carefully worded press release about “restoring trust.”
The investigation is now reportedly focused on a former employee, suggesting an insider threat. How does the hunt for digital evidence in a case like this differ from investigating an anonymous, external cyberattack?
It’s a completely different kind of hunt. When you’re dealing with an external hacker, you’re looking for the breach point—a cracked wall, a broken window. The investigation is about how they got in. With an insider threat, the suspect already had the keys to the building. The crime isn’t about unauthorized access, but about the abuse of authorized access. The police aren’t just looking for malware; they’re building a narrative. They’ll be combing through digital evidence like server access logs to see which files this specific employee touched, network traffic logs for any unusual data transfers out of the network, and even email and chat records to establish motive. The focus shifts from the “how” of the intrusion to the “what” and “why” of the data theft. It’s a far more personal investigation, piecing together a timeline of betrayal from legitimate actions.
South Korea’s privacy regulator, the PIPC, slammed Coupang not just for the breach but for its response, particularly a new liability clause and a complicated cancellation process. What does the timing of these changes suggest to you about the company’s mindset?
Frankly, it’s appalling, and it’s a classic example of how to make a bad situation worse. Introducing a clause to disclaim responsibility for data breaches in November, right when they knew they had a major incident but before the public understood its true scale, is a profound breach of faith. It shows their first instinct wasn’t to protect their customers but to protect themselves from their customers. A data breach is a failure of security, which can sometimes be forgiven. This, however, is a failure of character. When you combine that with making it intentionally difficult for panicked users to delete their accounts, you are actively working against your customers’ interests in their moment of need. That kind of behavior erodes trust on a much deeper level than the initial hack ever could.
Do you have any advice for our readers?
Absolutely. Treat every online account as a potential vulnerability. First, use a unique, complex password for every single service, preferably managed through a password manager. Second, enable two-factor authentication wherever it is offered; it’s the single best defense against your password being stolen. After a breach like this is announced, be extra vigilant. Scammers will use the news to launch phishing attacks, sending fake emails and texts that look like they’re from the breached company. Finally, vote with your wallet and your data. If a company makes it difficult to understand their policies or to delete your account, that’s a massive red flag. It tells you everything you need to know about how little they respect you and your privacy.
