Coupang reportedly failed to recognize for more than 10 days a breach in which the personal information of about 4,500 customers was leaked. Critics say there were gaps in providing accurate information because the actual leak date and the date customers were notified were different.
According to the breach report submitted by the office of Choi Min-hee, chair of the National Assembly's Science, ICT, Broadcasting and Communications Committee, to the Korea Internet & Security Agency (KISA) on the 21st, Coupang reported that at 6:38 p.m. on the 6th there was unauthorized access to its account information. However, the time recorded for when Coupang recognized this was 10:52 p.m. on the 18th, 12 days later.
On the 18th, Coupang sent text messages to affected customers, notifying them that "on Nov. 18, it was confirmed that personal information was viewed without authorization." Even though the actual breach occurred on the 6th, both internal detection and customer notification were delayed by about 10 days. Because of this, there are criticisms that the basic anomaly detection system did not function properly.
However, the Act on Promotion of Information and Communications Network Utilization and Information Protection requires businesses to report within 24 hours from when they become aware of a breach. Coupang reported to authorities at 9:35 p.m. on the 19th, meeting the legal deadline.
According to the report, Coupang said that "records were found of access to 4,536 account profiles without valid authentication." Initial findings suggest a signed access token was abused. The account profiles accessed without authorization are understood to have included the five most recent order histories and address book information such as names, phone numbers, and addresses.
Coupang said it is investigating how the problematic token was obtained, has revoked all token signing keys, and strengthened detection rules. The Ministry of Science and ICT, KISA, and the Personal Information Protection Commission are currently investigating how the leak occurred and the actual scale of the damage.
Experts said, "Failing to detect the breach for 10 days after it occurred reveals structural shortcomings in security management," and noted, "There is a need for a comprehensive reexamination of authentication and monitoring systems at large platforms."