Coupang: "Access Gained by Exploiting Signed Access Tokens"
Records have revealed that Coupang failed to detect a personal information leak affecting more than 4,500 customers for over ten days after the incident occurred.
According to a breach report submitted by the National Assembly’s Science, ICT, Broadcasting, and Communications Committee Chairperson Minhee Choi’s office, which was obtained from the Korea Internet & Security Agency (KISA) on November 21, Coupang reported unauthorized access to its account information at 6:38 p.m. on November 6. However, the company did not become aware of the breach until 10:52 p.m. on November 18, twelve days later.
Previously, Coupang had notified affected customers via text message the day before, stating, "On November 18, it was confirmed that your personal information was accessed without authorization." This has led to criticism that Coupang not only failed to detect the breach for more than ten days, but also did not accurately inform customers of the exact timing of the data leak.
The Information and Communications Network Act requires businesses to report a breach to authorities within 24 hours of becoming aware of an incident. Coupang filed its report at 9:35 p.m. the following day, thus meeting the deadline.
Meanwhile, in its report, Coupang stated, "Records show that 4,536 account profiles were accessed without valid authentication," and added, "Initial investigations suggest that a signed access token was exploited to gain access." The company also noted, "Access records for each account profile included the five most recent order histories and customers’ delivery address books (names, phone numbers, and delivery addresses)." Coupang is currently investigating how the tokens used for unauthorized access were obtained, and confirmed that all signing key information for these tokens has been discarded. The company also explained that it has strengthened detection rules and expanded monitoring in preparation for any further unauthorized access attempts.
The Ministry of Science and ICT, KISA, and the Personal Information Protection Commission are investigating the circumstances of the leak and potential damages based on Coupang’s report.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
