S. Korea Attributes Coupang Data Breach to Management Oversight Rather Than Advanced Cyberattack
South Korean officials have attributed a significant data leak at Coupang last year to management failures rather than a sophisticated cyberattack. They urged the e-commerce giant to address vulnerabilities in its security systems.
In a recent announcement detailing the initial findings of a government-led investigation, the Science Ministry revealed that a former Coupang engineer exploited flaws in the company’s authentication process. This breach, which began in April and continued until November, was not the engineer’s first attempt; he had previously tried to gain access in January.
Coupang Korea, which operates under the U.S.-listed Coupang Inc., faced considerable backlash from the public and lawmakers following the breach. The incident has heightened trade tensions with Washington, as concerns grow over the treatment of the U.S.-listed company by Korean authorities.
Read more: Coupang Confirms More Data Leaks Which South Korean Aide Says Has ‘Shaken’ US Ties
“It’s more of a management problem than an advanced attack,” stated Choi Woo-hyuk, the deputy minister for cyber security and network policy, during a press conference. He highlighted the lax oversight concerning authentication systems.
The ministry reported that the leak compromised the personal data of approximately 33.7 million customers. A delivery-address list page, which included names and phone numbers, was accessed around 150 million times.
“The attacker exploited user authentication vulnerabilities to access user accounts without proper login credentials, resulting in large-scale unauthorized information leaks,” the ministry explained.
Furthermore, the ministry has called on the police to investigate Coupang for allegedly attempting to obstruct the investigation by deleting critical data, claiming the company defied a government order to preserve such information.
Coupang has yet to respond to requests for comment. Previously, the company stated that the leak involved contact details but confirmed that no payment information or login credentials were compromised. They also mentioned that users were notified in accordance with government guidelines.
‘Coupang Needs Tighter Security’
The ministry accused the former employee, who left the company in November 2024, of stealing an internal security key, known as a signing key. This key was reportedly used to generate fake login tokens, allowing unauthorized access to customer accounts.
It was noted that the staff member had played a role in designing and developing parts of Coupang’s user authentication system. The ministry criticized the company for failing to invalidate the developer’s signing key after their departure, deeming it an inadequate security measure.
“Coupang needs to implement a detection and blocking system for electronic access cards that do not follow the standard issuance process,” the ministry advised.
While the ministry could not confirm whether more than one individual was involved in the breach, they indicated that further details would emerge from the ongoing police investigation.
In January, South Korean Justice Minister Jung Sung-ho announced that an arrest warrant had been issued for a Chinese national who had previously worked at Coupang.
Arrest Warrant
The police investigation is still underway, and the personal data watchdog is also looking into the incident. Coupang is currently facing a tax audit in South Korea, along with a legal complaint filed by the country’s parliament against its founder and former executives for failing to attend parliamentary hearings last year.
The ministry accused Coupang of violating the information-network law by not reporting the breach within the mandated 24-hour period. They plan to impose an administrative fine of up to 30 million won ($20,596) under this law.
Coupang reported the data breach to its chief information security officer at 4:00 p.m. local time on November 17 and notified authorities at 9:35 p.m. on November 19, resulting in a delay of over 53 hours.
(Reporting by Heekyong Yang and Hyunjoo Jin; additional reporting by Heejin Kim; editing by Ed Davies)
Related:
South Korean officials have attributed a significant data leak at Coupang last year to management failures rather than a sophisticated cyberattack. They urged the e-commerce giant to address vulnerabilities in its security systems.
In a recent announcement detailing the initial findings of a government-led investigation, the Science Ministry revealed that a former Coupang engineer exploited flaws in the company’s authentication process. This breach, which began in April and continued until November, was not the engineer’s first attempt; he had previously tried to gain access in January.
Coupang Korea, which operates under the U.S.-listed Coupang Inc., faced considerable backlash from the public and lawmakers following the breach. The incident has heightened trade tensions with Washington, as concerns grow over the treatment of the U.S.-listed company by Korean authorities.
Read more: Coupang Confirms More Data Leaks Which South Korean Aide Says Has ‘Shaken’ US Ties
“It’s more of a management problem than an advanced attack,” stated Choi Woo-hyuk, the deputy minister for cyber security and network policy, during a press conference. He highlighted the lax oversight concerning authentication systems.
The ministry reported that the leak compromised the personal data of approximately 33.7 million customers. A delivery-address list page, which included names and phone numbers, was accessed around 150 million times.
“The attacker exploited user authentication vulnerabilities to access user accounts without proper login credentials, resulting in large-scale unauthorized information leaks,” the ministry explained.
Furthermore, the ministry has called on the police to investigate Coupang for allegedly attempting to obstruct the investigation by deleting critical data, claiming the company defied a government order to preserve such information.
Coupang has yet to respond to requests for comment. Previously, the company stated that the leak involved contact details but confirmed that no payment information or login credentials were compromised. They also mentioned that users were notified in accordance with government guidelines.
‘Coupang Needs Tighter Security’
The ministry accused the former employee, who left the company in November 2024, of stealing an internal security key, known as a signing key. This key was reportedly used to generate fake login tokens, allowing unauthorized access to customer accounts.
It was noted that the staff member had played a role in designing and developing parts of Coupang’s user authentication system. The ministry criticized the company for failing to invalidate the developer’s signing key after their departure, deeming it an inadequate security measure.
“Coupang needs to implement a detection and blocking system for electronic access cards that do not follow the standard issuance process,” the ministry advised.
While the ministry could not confirm whether more than one individual was involved in the breach, they indicated that further details would emerge from the ongoing police investigation.
In January, South Korean Justice Minister Jung Sung-ho announced that an arrest warrant had been issued for a Chinese national who had previously worked at Coupang.
Arrest Warrant
The police investigation is still underway, and the personal data watchdog is also looking into the incident. Coupang is currently facing a tax audit in South Korea, along with a legal complaint filed by the country’s parliament against its founder and former executives for failing to attend parliamentary hearings last year.
The ministry accused Coupang of violating the information-network law by not reporting the breach within the mandated 24-hour period. They plan to impose an administrative fine of up to 30 million won ($20,596) under this law.
Coupang reported the data breach to its chief information security officer at 4:00 p.m. local time on November 17 and notified authorities at 9:35 p.m. on November 19, resulting in a delay of over 53 hours.
(Reporting by Heekyong Yang and Hyunjoo Jin; additional reporting by Heejin Kim; editing by Ed Davies)
Related:
