As a massive personal information leak unfolded at Coupang, some said it resembles the 2010 hacking of Gucci's U.S. unit. In both cases, the core causes were identified as poor management of a departing worker's account and cryptographic keys for electronic signature, exposing a collapse of basic corporate security.
According to the National Assembly and police on the 3rd, the identified attack period tied to the Coupang personal information leak was found to be from June 24 to Nov. 8 of this year. Names, phone numbers, addresses and order histories of a total of 33.7 million Coupang customers were leaked little by little each day.
Investigators are considering the possibility that a former Chinese national developer who handled Coupang's authentication system was behind it. That is because a cryptographic key used to electronically sign authentication tokens was employed when the attacker accessed customer data abnormally multiple times without logging in.
Coupang initially said it was an "external hacking," but as suspicions arose that it failed to cut off a departed worker's access rights, internal security came under scrutiny. Still, citing that the matter is under investigation, Coupang has not separately explained the background of the leak to customers.
Park Dae-jun, Coupang's CEO, appeared at the National Assembly's Science. ICT. Broadcasting. and Communications Committee for a pending-issue inquiry the previous day and said regarding the scope of suspects, "I cannot comment because authorities are currently investigating."
Coupang also learned of the leak only after several customers received threatening emails claiming to "know your personal information." The call center also received threatening emails, and as the company belatedly investigated, the number of affected customers ballooned from 4,500 to 33.7 million.
The hacking of Gucci's U.S. unit is cited as a structurally similar case to the Coupang incident. Sam Yin, a network engineer at Gucci's U.S. unit, was fired in May 2010 and in November of the same year accessed Gucci's servers, crippled the network and deleted key data including emails.
It was revealed that during this process he accessed the servers using a "fake employee account" he created while employed. The fake employee account had been created a year before he was fired, but Gucci failed to catch it in time. Although Sam Yin carried out the hacking after leaving, prosecutors, upon indictment, concluded it was an insider attack for failing to manage server access rights.
According to foreign media, Sam Yin's motive was reportedly retaliation for being fired. Before his dismissal, he is said to have remarked, "Without me, this system will not run." As with Coupang, there was no monetary motive such as demanding money, stealing data to sell, or blackmail. U.S. prosecutors called it "pure sabotage."
There have been multiple insider-attack personal information leaks. Last year, U.S. fintech bank FinWise suffered an incident in which a departed worker logged back into internal systems with "retained credentials" and viewed and stole information on about 689,000 customers. The company discovered the breach only a year later.
At mobile investing service Cash App Investing, it was revealed that in 2021 a former employee continued to access internal reports after leaving and downloaded files containing account and investment information for more than 8.2 million customers. The company only said, "While employed there was lawful authorization, but post-departure access was unauthorized."
Coupang avoided specifics about the background or motive for the leak, saying the investigation is still underway. Some raised the possibility that a former employee committed the crime out of a desire for revenge, but the exact motive remains unclear.
Experts suspect Coupang's personal information leak followed a similar pattern. That is because ① management of a departing worker's account or cryptographic keys was lax, ② system access rights were broad, and ③ anomalous behavior went undetected for a long time. Insider attacks, in particular, often go unnoticed for long periods because they appear to be "normal users." The point is that even if security infrastructure such as AI-based detection systems is strengthened, failing to keep the basics can render it useless.
A domestic security industry official said, "Managing access rights for departing workers is among the most basic of basics, yet cases of personal information leaks or cyberattacks due to failures here are appearing worldwide," adding, "Not only Coupang but other domestic corporations should no longer think 'we are fine.'"