It appears Coupang had already identified its own cybersecurity gaps before the personal information of 33.7 million people was leaked.
According to the office of Lee Jun-seok of the Reform Party, a member of the Science, ICT, Broadcasting and Communications Committee, on the 14th, Coupang recently submitted to the National Assembly a report on the results of a hacking defense response drill conducted in March.
The report contains the results of a simulated drill that Coupang commissioned from the consulting firm Accenture to assess its response capabilities in the event of a cybersecurity incident. Accenture examined Coupang's cyberattack response capabilities with a focus on when and how Security Operations (SecOps) monitoring intervenes if a cyberattack occurs at a Coupang logistics center.
The report identified several aspects of Coupang's cyberattack response capabilities as clear weaknesses. It first pointed out that crisis management procedures are not documented and rely on the capabilities of individual members, or that documents are divided by individual. Accenture emphasized that while there were no issues during the simulated drill, this is an area that needs improvement.
In fact, this area was also a problem in the latest personal information leak. The person suspected of leaking personal information is a developer in the authentication department who had the authority needed to develop keys. Although this developer's tenure was from Nov. 16, 2022, to Jan. 1 of this year, it was found that the key in question was created after April 2024 and was not retrieved until Nov. 19 of this year.
The report also pointed out that Coupang's Security Operations monitoring does not function properly. Even after a cyberattack is confirmed and determined to be a security issue, there is no clear standard for how incident command should be carried out.
The report noted, "If there are no clear standards for when Security Operations monitoring should intervene, a cyberattack may continue undetected for a long period, increasing the likelihood that the attacker will expand activity," and added, "Due to insufficient data collection and inefficient analysis, incident response may be inadequate, and as a result, the fundamental threat may not be properly eliminated."
In reality, Coupang did not even properly detect that large amounts of personal information were being leaked. Coupang detected the personal information leak on Nov. 18. The attack began in June, and it went five months without even being identified.
In materials submitted to the National Assembly, Coupang said, "We believe the suspect used a normally signed token with the leaked private key to conduct unauthorized, distributed access at low volume from multiple IPs starting in June of this year, leaking personal information."
Coupang said it regularly inspects and takes measures regarding the vulnerabilities identified in the report. However, because it failed to properly address the issues pointed out in the March report, a large-scale leak of customer personal information occurred for nearly half a year starting in June.