Although a breach that exposed 33.7 million cases of customer personal information occurred, how Coupang's internal access permission structure and control system actually operated at the time of the incident remains "shrouded in fog."
Coupang puts forward a principle that it grants access rights only to the minimum number of people necessary for work related to handling personal information, but it has not submitted the key evidence to prove this to either the government or the National Assembly.
According to a compilation of reporting by ChosunBiz on the 5th, Coupang states in its privacy policy that it implements personal information protection measures such as ▲ granting the minimum access rights ▲ access control to databases (DB) ▲ access logging and management. Its sustainability reports also include content to the effect that it will strengthen personal information protection and internal controls.
However, it is still impossible to verify whether the principle was properly implemented in the actual system in this breach. To check this, lawmakers from both ruling and opposition parties asked Coupang to submit key materials such as security systems and permission management rules, but when the materials did not arrive, they officially demanded the documents again at an emergency inquiry of the National Assembly's Science. ICT. Broadcasting. and Communications Committee on the 2nd and the National Policy Committee on the 3rd.
According to materials submitted by Coupang and the Personal Information Protection Commission (PIPC) to the office of Kim Sang-hun, a People Power Party lawmaker on the National Policy Committee, Coupang says it is difficult to submit key materials such as ▲ the internal access permission structure (IAM) at the time of the incident ▲ the scope of information DBs the account could access ▲ log records to confirm whether systems detecting unauthorized access were operating. It says it must comply with an official request to refrain from externally explaining information that could affect the police investigation.
Because of this, it has not even been officially confirmed or verified through what paths and structures the 33.7 million cases of personal information were leaked in bulk. Verification of whether Coupang's stated "minimum access rights principle" was actually observed is effectively in a vacuum. In addition, whether large-scale access to and leakage of personal information was possible, and whether the same type of risk could recur, cannot currently be confirmed or verified from the outside.
According to an investigation progress report by the Personal Information Protection Commission (PIPC), on the 16th of last month the company first identified signs of illegal access through a customer tip email (VOC), and only the following were confirmed: ▲ in the first investigation, confirmation of a leak of personal information of 4,536 people and the disposal of an authentication key ▲ in the second investigation, which expanded the scope of log analysis, confirmation of a leak of personal information of 33.7 million people.
The industry views this situation as a structural problem in which Coupang's internal security and control systems did not function adequately. If the basic control chain—minimum access rights, permission verification, and log auditing—had operated properly, the scale of damage should have been limited even if internal authentication information was leaked.
A security industry official said, "If a normal internal control system had been in place, corporations would have proactively explained, based on basic materials such as IAM or access logs, what permissions had been granted and whether unauthorized access was blocked," adding, "Coupang's current course only reads as a signal that there is not even sufficient basis for outsiders to verify how the internal security system actually operated."
Kim Sang-hun of the People Power Party said, "Separate from Coupang touting a 'minimum permission principle,' the reality that it cannot even submit the key evidence to prove it is proof that the internal control system effectively did not function," adding, "The mere fact that the government and the National Assembly cannot even confirm the basic access permission structure shows that this Coupang incident is not a simple mishap but the result of structural management negligence."