Did They Not Know or Did They Hide It?... The Coupang Data Leak Mystery

With more than 33 million Coupang customer records leaked, industry insiders are calling it unusual that South Korea’s largest e-commerce platform, which has long emphasized its information technology, failed to detect the exfiltration of sensitive data for nearly five months. As the incident has been revealed to be the work of a former employee rather than a hacking attack, criticism of Coupang’s lax management system and calls for accountability are expected to intensify. Other companies in the same industry have begun to re-examine their own internal security systems and are taking follow-up measures in response to the incident.

According to data obtained from Coupang by the office of Choi Minhee, Chairperson of the National Assembly’s Science, ICT, Broadcasting, and Communications Committee, the incident originated from a former employee in charge of authentication who stole Coupang’s customer information. The individual responsible for the personal information leak is a former Coupang employee of Chinese nationality, who is reportedly now residing overseas after leaving the company.

According to Choi’s office, the employee is suspected of exploiting authentication token server keys and security vulnerabilities. Authentication tokens function as one-time passes issued upon login, and a ‘signing key’ is required to generate them. Coupang has not disclosed the exact validity period of the authentication keys exploited in this breach, citing an ongoing police investigation.

However, regarding the validity period of token signing keys, Coupang replied to Choi’s office, “It is common for these to be set for 5 to 10 years, and the rotation period can be quite long and varies greatly depending on the type of key.” Ultimately, although tokens are generated and immediately discarded within Coupang’s login system, Choi’s office explained that because the signing keys were not deleted or renewed and were left unattended for a long period, the former employee was able to exploit them to access the customer information database.

Considering all these circumstances, there is strong evidence that this incident was a man-made disaster caused by neglect of internal security systems and personnel management. Even so, there remain questionable aspects. For example, traces of unauthorized access to Coupang’s customer data were first detected on June 24, but it was only after the former employee sent threatening emails to Coupang and its members, months after stealing the data, that the exposure was discovered-almost five months later. This timeline has fueled criticism that Coupang’s security system is excessively lax, especially given its repeated emphasis on being a technology company.

A signboard of Coupang installed at Coupang headquarters is visible behind the apology text message from Coupang regarding the personal information leak incident on the 1st. Photo by Dongju Yoon

An e-commerce industry insider pointed out, “Customer data is among a company’s most critical assets, and even attempting to upload or download such information requires explicit approval from a responsible manager. It is difficult to understand how more than 30 million customer records could be leaked externally without any system alerts or detection by security personnel.”

Another industry source added, “If the employee under suspicion of leaking personal information held a high-level position with authority over information security certification, it might have been technically possible to conceal warning signs. However, it is incomprehensible that such actions were allowed to occur after the employee had left the company.” Coupang, for its part, is declining to confirm details about the employee’s nationality or the circumstances of the leak, stating, “We cannot provide specifics as the matter is under investigation.”

Consumers’ anxiety is mounting in response to Coupang’s lukewarm handling of the situation. Although Coupang has emphasized that “the accessed customer information was limited to names, emails, phone numbers, delivery addresses, and certain order details, and did not include payment, credit card, or login information,” there remains the possibility that the scope of the leak could expand as the investigation continues.

Coupang had previously acknowledged, in an announcement on November 18, that the personal information of about 4,500 accounts had been exposed without authorization, but subsequent investigations revealed that the number of affected accounts was roughly 7,500 times higher. In a similar case involving Lotte Card, the company initially announced in September that “no evidence of customer data leakage has been found so far,” but two weeks later it was revealed that not only card numbers but also sensitive information such as CVC codes had been leaked.

Among consumers, there are growing concerns that even apartment building entrance codes and personal customs clearance numbers used for overseas purchases may have been leaked through Coupang. On this day, the Korea Consumer Organization Council issued a statement expressing “deep concern and strong anger over the exposure of consumers’ most private information, including addresses, contact details, purchase histories, and even apartment entrance codes,” and demanded, “Coupang must transparently disclose the cause and scale of the personal information leak and immediately prepare concrete and substantial compensation measures.”

The statement continued, “Measures must also be taken to compensate and prevent damages such as decreased sales for small business owners resulting from this incident. If Coupang refuses to accept responsibility and attempts to stall through lobbying or legal maneuvers, we will unite with consumers and respond forcefully using every means available, including mass account withdrawals and boycotts.” The group also called on the government to “conduct a thorough investigation, impose strong administrative penalties, and swiftly establish measures to prevent recurrence.”

The e-commerce industry is also taking this massive Coupang customer data breach as an opportunity to re-examine its own internal security systems. SSG.com is strengthening both regular and ad-hoc security checks and internal controls, while Gmarket conducted an emergency security inspection over the weekend and is discussing further follow-up measures. 11st stated, “We monitor for security threats 24/7, 365 days a year through our security operations center, and we plan to re-examine server and database access logs in relation to this incident.”

Additionally, Naver explained, “We prioritize the safety of users’ information and data by operating and monitoring our systems at all times, applying our own information protection systems and security solutions.” Kurly also reported, “In addition to regular security checks, we are conducting proactive inspections and strengthening internal controls to reduce the risk of similar incidents.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.