A seller account at AliExpress Korea, a Chinese e-commerce company, was hacked, and about 8.6 billion won in settlement funds were not paid on time.
According to the AliExpress Korea incident report submitted by the Rebuilding Korea Party lawmaker Lee Hae-min on the 20th from the Korea Internet & Security Agency (KISA), the company recognized the possibility of unauthorized external hacker access to the business online portal used by sellers in Oct. last year and launched an internal investigation.
The investigation found that the hacker exploited a vulnerability in the one-time password (OTP) system used in the password recovery process for business accounts and rerouting the passwords for a total of 107 business accounts. Among them, in 83 accounts, the deposit accounts for settlement funds were changed to accounts under the hacker's name. As a result, the amount of settlement funds that were not paid properly reached $6 million, or about 8.6 billion won.
AliExpress added delayed interest to the unpaid settlement funds and paid sellers, and stated in the report that it took steps to ensure sellers did not suffer financial damage. However, it turned out that AliExpress did not detect any particular signs of abnormality in advance until inquiries about unpaid settlement funds were received from some sellers.
After recognizing the incident, AliExpress said it improved the OTP system the hacker exploited and introduced additional reverification procedures for changes to settlement account information.
Meanwhile, according to materials the Ministry of Science and ICT submitted to Lee Hae-min's office, AliExpress Korea was found not to have obtained key information security certifications such as the Information Security Management System (ISMS) and the Personal Information & Information Security Management System (ISMS-P).
On this, the ministry said, "AliExpress Korea's official financial statements have not been disclosed on the electronic disclosure system, so the business operator must directly check whether it meets the requirements to be subject to mandatory ISMS certification," adding, "We will notify the business operator that it may be subject to mandatory ISMS certification and guide it to obtain certification if applicable."
AliExpress Korea said, "In June last year, we officially submitted an ISMS certification application as a voluntary applicant," adding, "The on-site audit and related activities have already been completed, and the audit report will be submitted to the Korea Internet & Security Agency (KISA) Certification Committee soon."