As it belatedly came to light that the personal information of 33.7 million Coupang subscribers had been leaked for months, attention is focusing on the intent behind the hacker's "threatening email" sent to Coupang. Analysts say it may not have been a simple demand for money or an act of retaliation, but a bid for a kind of "official certification" to boost the value of the leaked information. That is because when large volumes of personal information are traded on markets such as the dark web, prices can jump two to three times if the leaked corporations validate it.
◇ Threatening emails after hacks overseas as well... a strategy to obtain certification
According to investigative authorities on the 4th, Coupang reported the personal information leak to the Personal Information Protection Commission on the 18th of last month. Coupang first became aware of the matter two days before the report, after a threatening email stating, "Your customer data has been leaked. We will inform the media and other outside parties," arrived at Coupang's customer center. Similar emails arrived again on the 25th and 28th of last month.
A government probe found that since June 24, a small amount of Coupang customer information had been siphoned out daily. It covers 33.7 million customers' names, phone numbers, addresses and order histories. Authorities said it is still early in the investigation, making it difficult at this point to conclude whether the hacker who leaked the personal information and the sender of the threatening emails are the same person.
Even so, security experts say "the threatening email itself may have been a strategy to obtain the certification the hacker wanted." When personal information is traded on the dark web or hacker forums, whether the data actually came from inside the corporations is the key factor that determines price. Prices can rise by as much as two to three times depending on whether it is merely "scraped information" consisting of names, phone numbers and addresses, or information actually leaked from a corporations' customer databases (DB).
A police officer in charge of cyber investigations said, "It's hard to be definitive, but some hackers first inform the corporations about the information they leaked, blow up the incident, and then use that fact as certification material on the dark web," adding, "Rather than selling quietly, there is a structure where information sells for more only when the corporations publicly acknowledge the damage."
In fact, overseas there are many cases of the typical pattern of "threatening email → corporate recognition → public disclosure of the leak → price increases." In the 2023 hack of MGM Resorts in the United States, the hacker approached MGM directly by email claiming to have "seized control of the internal network," and when MGM responded, the hacker posted a capture of that exchange on the dark web to flaunt the material as genuine.
In the 2022 Nvidia hacking case, the attackers disclosed portions of in-house messages and the company's response to prove "this is Nvidia's internal material," after which related data was reportedly traded at high prices. During the 2014 Sony Pictures hack, the hacker sent a threatening email to a Sony executive demanding the cancellation of a film's release and then posted that on the website as certification that "we are actually inside the internal network."
Hwang Seok-jin, a professor at Dongguk University's Graduate School of International Information Security, said, "Because the leaked information links names with home addresses, its value is high," adding, "The perpetrators tried to extort financial gains from the company and also raise the information's value through certification."
◇ It may also have been for retaliation or to check a competitor
Some analysts say money may not have been the motive. It has been suggested that a Coupang developer of Chinese nationality may have leaked the personal information out of resentment over being fired.
There is also talk that it may have been done to check a competitor. Kwon Heon-young, a professor at Korea University's Graduate School of Information Security, said, "If you think about who stands to gain from this hacking incident, a competitor may have done this to damage Coupang's image."
Police have obtained the IP addresses used in the crime by securing server log records from Coupang and are tracking them. They are also checking whether the suspect who leaked the personal information is the same person who sent the threatening emails to Coupang.