Coupang is stressing that no financial information such as card details or passwords was exposed in the personal data leak affecting 33.7 million cases, but security experts are in agreement that "it is not time to feel safe yet." In past cases involving other corporations' customer data breaches, subsequent probes revealed larger scales or different types of exposed information than initially announced.
Given that the nature and scope of the leaked information, failure to revoke authentication keys and access rights, and other structural problems were revealed in this Coupang incident, there is growing criticism that investigators must not only determine the cause but also reexamine the corporation's overall internal security framework.
◇ "Unclear whether financial information was exposed"
According to Science. ICT. Broadcasting. and Communications Committee Chairperson Choi Min-hee and industry sources on the 2nd, the incident was not caused by an external hack but by a former employee of Chinese nationality who used an authentication key to access customer account information without authorization for about five months. The authentication key is a core security tool a server uses to verify the authenticity of a login token. If a token is like a one-time entry pass, the authentication key is akin to the stamp that validates that pass, underscoring its importance. In other words, the key element that verifies the token's authenticity is the authentication key.
Regarding this incident, Coupang said on the 29th of last month, "There was an incident where some personal information was exposed. As soon as we recognized the exposure, we promptly reported it to the relevant authorities," adding, "According to what has been investigated so far, the exposed information includes names, email addresses, shipping address books, and order information." The company also said, "We have confirmed that there was no exposure of payment information such as card details or login-related information such as passwords, and that they are being safely protected."
Security experts, however, say it is difficult to conclude based on Coupang's announcement alone that financial information is completely safe. Korea Information Security Industry Association President Cho Young-cheul said, "It's hard to jump to conclusions because we don't know how far and what information the person with the authentication key looked at," adding, "They may not have actually taken financial information, but it's also possible that they did and the related logs have not been identified yet." Hong Jun-ho, a professor in the Department of Convergence Security Engineering at Sungshin Women's University, also said, "Whether financial information was exposed is still uncertain," adding, "Nothing will be clear until the results come out through log analysis."
In previous cases at other corporations, there were several instances where officials initially said there were no signs of compromise or the scale was small, only for investigations and probes to reveal that the scope and duration of damage were far greater. For example, in KT's case related to small-amount payments and illegal femtocells in Sep., the company initially said, "There are no signs of personal information leakage." But as investigations and a full internal review progressed, the number of identified affected customers increased from 278 to 368. The number of femtocell IDs also rose from 4 to an additional 16, totaling 20, expanding the suspected scope of leakage and misuse. KT acknowledged signs of leakage of 5,561 International Mobile Subscriber Identity (IMSI) numbers in its first report to the Personal Information Protection Commission, but in an additional report, it said probes had identified signs of leakage of IMSI, International Mobile Equipment Identity (IMEI), and mobile phone numbers for 20,030 people.
In the SK Telecom hacking case in Apr., the investigation confirmed a massive leak affecting roughly half the population, including 33 types of malware, infections across 28 servers, and 26.96 million cases covering 25 types of USIM information. Despite the seriousness of the personal information leak, SK Telecom began notifying subscribers via text and email only after a day had passed. An industry official said, "Corporations first check core servers, and then a public-private joint investigation team conducts additional probes. Criminal liability and determinations of negligence become clear only after police and prosecutors investigate," adding, "From a corporation's perspective, they provide only the minimum information, considering investor and market reactions."
Another industry official said, "It is difficult for corporations to know the exact scope of damage in the early stages. In most cases, the exact scope of a data leak emerges only after log analysis, forensics, and system recovery, and this process takes at least several days to more than several weeks." This is because an insider may have accessed data with normal privileges, leaving no detection at all, or logs may remain only partially or be damaged. The official said, "If, as in the Coupang incident, a former employee used an authentication key, records can be omitted or distorted, making it difficult to identify the initial scope of damage."
◇ "Basic security controls did not function"
Experts view the crux of this incident as a failure of security management across Coupang's systems. They point in particular to the failure to revoke a former employee's privileges and retire authentication keys as the biggest problems. In other words, authentication, authorization, and access management were run inadequately. Under Article 29 of the Personal Information Protection Act, the administrative rule "Standards for Measures to Ensure the Security of Personal Information" requires that privileges be changed or revoked without delay when job duties change or an employee retires, and that the status of privilege assignments be checked regularly.
Professor Hong said, "Corporations must have basic and mandatory security frameworks such as access control, access rights management, and encryption measures," adding, "Those who handle personal information must connect in a network-segmented environment or use dedicated terminals, and it is basic for automatic detection to kick in when bulk downloads occur, yet even these most rudimentary security controls appear not to have functioned properly."
The industry is advising that basic steps be taken to prevent secondary damage, including canceling recurring payments, deleting card information, and changing passwords. They stress that users who employ IDs and passwords on multiple sites similar to those used on Coupang should change them immediately. Professor Hong said, "Even if financial information is actually safe, the names, addresses, and contact details of most citizens have already been leaked," adding, "If this information is combined with other sites' account and autopay information, the scope of damage could become much larger. Secondary damage such as phishing, smishing, and tailored scams could occur."
The Korea Internet & Security Agency (KISA) urgently distributed a "smishing and phishing caution advisory on exploitation of e-commerce hacking damages" on the 29th of last month. KISA advised that if you receive a text message containing false content such as "delivery error," you can check for malicious content through the smishing and phishing verification service on the KakaoTalk channel "Boho Nara."