The Cybersecurity and Infrastructure Security Agency (CISA) warned last year that hacking could occur if accounts or tokens for access by departing employees are not properly managed. With the possibility emerging that Coupang's recent massive personal data leak stemmed from lax management of access rights for a former employee, some say the incident was foretold.

According to the security industry on the 3rd, CISA released an analysis in Feb. last year through a cyber alert report (AA24-046A) on a "State Governments hacking case using a former employee's account." It found that a former employee of a state government agency used an account to access a server, extract data, and sell the collected information on the dark web.

CISA issues a cyber alert as it announces a state government hacking case that uses a departed employee's account in February last year. CISA advises continuously removing personal and group accounts for departed employees or dormant users that are no longer needed. /Courtesy of CISA website screenshot

CISA said, "Hackers abuse valid accounts, including former employee accounts that have not been properly deleted," explaining that such cases are frequent in the initial intrusion stage.

CISA advised continuously removing and deactivating accounts and groups that are no longer needed, especially administrator accounts. ▲ Introducing a user management process that quickly deletes departing employees' accounts ▲ Mandating multi-factor authentication (MFA) for remote access and administrator accounts ▲ Regularly identifying and disabling dormant accounts with no login history for an extended period were presented as key tasks.

Security experts see Coupang's personal data leak as the result of failing to follow the basic tasks CISA laid out. According to the government's investigation so far, from June 24 to Nov. 18 this year, information on 33.7 million Coupang members — including names, emails, phone numbers, addresses, and order histories — was siphoned off.

In the process, the attacker accessed customer data multiple times without logging in and used a cryptographic key that electronically signs authentication tokens. Investigators are proceeding on the premise that a former developer of Chinese nationality who handled Coupang's authentication system may have been involved.

National Assembly Science. ICT. Broadcasting. and Communications Committee Chairperson Choi Min-hee also cited Coupang's long neglect of the validity period for cryptographic keys as a cause of the data leak. Choi said, "Even though renewing signing keys is the most basic internal security procedure, Coupang did not follow it," adding, "Leaving long-valid authentication keys unattended is not simply a deviation by an internal employee, but the result of organizational and structural problems that neglected the authentication system."

The problem is not unique to Coupang. Many domestic corporations still tidy up only the HR system when employees leave, without establishing an "off-boarding" system to collectively retrieve privileges and tokens that allow access to clouds and servers. Coupang also reportedly had a gap in its off-boarding system due to poor collaboration between the HR and development departments.

Experts agree that if basic security for managing former employees' privileges is breached, increased investment in security infrastructure is useless. A security expert said, "If you leave access rights in place after someone leaves, it's like the company is issuing a 'ghost pass,'" adding, "Similar cases are appearing worldwide, so it's time to review the basic procedures."

※ This article has been translated by AI. Share your feedback here.