Coupang said on the 25th that it identified the person who leaked personal information and retrieved all devices used in the leak of customer data.
According to Coupang's investigation so far, the leaker, identified as A, is a former employee who, while employed, stole an internal security key and used it to access customer information. A accessed information on 33 million customers but saved data from about 3,000 customer accounts.
The stored information included names, emails, phone numbers, addresses, some order information, and 2,609 shared entrance access codes. However, sensitive information such as payment information, login information, and personal customs clearance numbers was not included.
It was later found that all of the approximately 3,000 account records saved by A were deleted. In particular, there was no additional leak, such as external transmission, according to Coupang.
Coupang said it identified the leaker's identity through digital forensic analysis. The company commissioned three global cybersecurity firms—Mandiant, Palo Alto Networks, and Ernst & Young Global Limited (EY)—to conduct the forensic analysis, and the forensic results were found to be consistent with A's statement.
A used a personal desktop PC and a MacBook Air laptop to access customer information. Coupang secured one of the PCs and four hard drives, and said it found scripts used in the attack during the forensic process.
As for the laptop, it was found that A tried to destroy evidence by physically damaging it, placing it in a bag with bricks, and dumping it in a nearby stream. Based on A's statement, Coupang deployed divers to retrieve the device, and confirmed that the device's serial number matched A's iCloud account information.
In connection with this large-scale personal information leak involving 33.7 million cases, Coupang submitted statements obtained early in the investigation, equipment, and forensic materials to government agencies.
A Coupang official said, "We are also cooperating with the ongoing investigation," and added, "We take full responsibility for causing great anxiety to customers due to the personal information leak. Depending on the progress of the investigation, we plan to provide additional guidance and separately announce a customer compensation plan." The official continued, "We will do our best to prevent secondary damage," and added, "We promise to devise every measure to prevent a recurrence in light of this incident."