"Rather than an intelligent attack, this incident can be seen as a problem of poor management, such as authentication frameworks and key management."
On the 10th at the Seoul Government Complex, Deputy Minister Choi Woo-hyuk of the Ministry of Science and ICT said this during a briefing on the "announcement of the joint public-private investigation team's findings on the Coupang breach incident."
According to the Ministry of Science and ICT, it was confirmed that 33,673,817 cases of name and email information were leaked from the profile edit page in Coupang, and the delivery address list page was viewed 148,056,502 times. The order list page was viewed 102,682 times, and the delivery address edit page was viewed 50,474 times.
Deputy Minister Choi defined this incident as "a major breach that occurred at the nation's largest e-commerce platform," and said, "We investigated by applying the same standards without distinction between domestic and overseas corporations, in accordance with laws and principles." Choi also said, "The final scale of the personal information leak and the determination of legal violations are matters to be finalized and announced by the Personal Information Protection Commission."
That day, the Ministry of Science and ICT repeatedly explained the distinction between "viewing" and "leak." Deputy Minister Choi drew a line, saying, "Responsibility does not become lighter just because it is a viewing," and Deputy Head Lee Dong-geun of the joint public-private investigation team said, "At the moment of viewing, information goes outside the system's control, so we consider it a leak," adding, "In the press release, we also wrote 'viewed and leaked' to clarify the technical meaning."
As for the sequence of events, it was found that a former employee exploited a signing key of the authentication system that the person handled while employed to forge and alter a digital access pass, and used this token to access the service abnormally without a normal login procedure. The investigation team determined that "the verification procedure to filter forged or altered tokens at the gateway segment was insufficient."
Head of the joint public-private investigation team Lim Jeong-gyu said, "Under the ISMS-P standard, shortfalls were identified in separation of duties and cryptographic key management," adding, "We will first require remedial measures; if not implemented, we can issue a corrective order, and if it still does not improve, proceed to cancellation procedures." The attack method was automated web crawling. The investigation team identified 2,313 IPs used in the attack and, in forensics of the attacker's storage device, also confirmed a script that included a function to transmit to an external cloud. However, regarding whether actual external transmission occurred, they said, "It is difficult to conclude because no record remains."
Measures related to legal violations were also signaled. The Ministry of Science and ICT plans to impose fines under the Act on Promotion of Information and Communications Network Utilization and Information Protection for Coupang's failure to comply with the obligation to report within 24 hours after recognizing the breach incident. The matter of some logs being deleted after a data preservation order was referred to investigative authorities. The government will require Coupang to submit a plan to prevent recurrence and will decide whether to take additional corrective measures based on the inspection results.
Deputy Minister Choi said, "We must wait for the Personal Information Protection Commission (PIPC) to determine the distinction between members and nonmembers, and the final penalty surcharge amount," while adding, "So far, no indications of secondary damage have been found on the dark web, etc." On whether payment information was leaked, Choi said, "It was not confirmed within the scope of the investigation." Deputy Minister Choi went on to emphasize again, "The investigation team does not target or discriminate against specific corporations, and we will disclose the results swiftly and transparently."