Coupang said on the 25th that it identified the person responsible for the personal data leak and recovered all devices used to leak customer information. Coupang said the leaker accessed information on about 33 million customers but saved only about 3,000 customers' information.
According to Coupang's investigation to date, the leaker, identified as A, is a former employee who accessed customer information by stealing an internal security key obtained while employed. A accessed information on about 33 million customers but saved information on only about 3,000 accounts.
The saved information included names, emails, phone numbers, addresses, some order information, and 2,609 shared-entrance access codes. However, sensitive information such as payment information, login information, and personal customs codes was not included.
It was later confirmed that all of the approximately 3,000 accounts of information saved by A were also deleted. Coupang said in particular that there was no additional leakage such as external transmission.
Coupang said it identified the leaker's identity through digital forensic analysis. It commissioned three global cybersecurity firms—Mandiant, Palo Alto Networks, and Ernst & Young Global Limited (EY)—to conduct the forensic analysis, and the forensic results were found to be consistent with A's statements.
A used a personal desktop PC and a MacBook Air laptop to access customer information. Coupang secured one PC and four hard drives and said it found scripts used in the attack during the forensic analysis.
In the case of the laptop, it was found that A attempted to destroy evidence by physically damaging it, placing it in a bag with bricks, and dumping it in a nearby stream. Based on A's statements, Coupang deployed divers to retrieve the device, and the device's serial number was confirmed to match A's iCloud account information.
In connection with the massive leak of 33.7 million items of personal information, Coupang submitted statements obtained early in the investigation, devices, and forensic materials to government agencies.
A Coupang official said, "We are cooperating with the ongoing investigation," and added, "We fully recognize our responsibility for causing great anxiety to customers due to the personal information leak. Depending on the progress of the investigation, we will provide additional guidance and separately announce customer compensation plans." The official continued, "We will do our best to prevent secondary damage," adding, "We promise to seek every possible measure to prevent a recurrence, taking this incident as a turning point."