Possibility Raised During National Assembly Committee Inquiry
Email Warns "Will Expose Vulnerability"… No Monetary Demands Made
Coupang CISO: "Cannot Speculate Prematurely on Motive"
Internal Oversight Faulted, Including Failure to Reset Fo
As a former employee of Chinese nationality has been identified as the main suspect in the leak of 33.7 million Coupang customer records, there is speculation that this individual may have attempted the crime out of resentment over being dismissed. However, as it has become known that the suspect made no demands for money or other compensation after stealing large amounts of customer information over several months, the exact motive for the crime remains unclear.
Daejun Park, CEO of Coupang (left), is attending a current issue inquiry at the National Assembly Science, Technology, Information and Broadcasting and Communications Committee plenary meeting on the 2nd, responding to questions. On the right is Brett Mattis, Chief Information Security Officer (CISO) of Coupang. Photo by Hyunmin Kim
At a current issue inquiry of the National Assembly's Science, Technology, Information and Broadcasting and Communications Committee on the 2nd, Brett Mattis, Chief Information Security Officer (CISO) of Coupang, responded to a question from Shin Sungbeom, a member of the People Power Party, who asked whether the former employee may have committed the crime out of resentment over being fired. Mattis said, "If we consider all possibilities, that could be one of them," but added, "Since the police investigation is still ongoing, we cannot speculate freely about the motive," expressing caution.
In response to Assemblyman Shin's question about the former employee's work role and history, Daejun Park, CEO of Coupang, explained, "The individual in question was not responsible for authentication operations, but was a developer who built the authentication system." He added, "If the suspected individual is correct, he left the company in December last year, and his access rights were revoked after resignation." However, when asked by Assemblyman Noh Jongmyeon of the Democratic Party of Korea whether the suspected attacker acted alone or as part of a group, Park replied, "We cannot definitively say whether it was a single individual or multiple people," and added, "There is no developer who works alone; development teams are made up of several people with various roles."
Earlier that day, Seungjoo Kim, Professor at Korea University's Graduate School of Information Security, appeared on CBS Radio's "Kim Hyunjung's News Show" and said, "Within Coupang, there are rumors that the Chinese developer harbored resentment after being fired and acted out of spite." The theory has gained traction as it was reported that the former employee recently sent an email to Coupang notifying them of the data breach, made no monetary demands, and instead stated, "If you do not fix the vulnerability, I will expose it."
The committee's inquiry on this day focused on how the former employee was able to access and exfiltrate customer data over several months, and why Coupang failed to detect the breach during that period.
Professor Kim explained, "To put it simply, it's like checking your ID at a hotel to get a room key, but an internal developer took the password used to generate the room keys with them when they left." He continued, "Using this, they were able to generate unlimited room keys and extract customer information." He added, "Normally, when an employee leaves, the password for generating hotel room keys should be reset, but Coupang failed to take such measures. Overall, it appears there was a lack of proper management."
Mattis, the CISO, stated, "It appears the attacker used IP addresses from various sources to extract the data," and claimed, "Because the activity did not exceed our system's threshold, it was not detected."
On the 2nd, a general meeting of the National Assembly's Science, Technology, Information and Broadcasting and Communications Committee was held to address urgent inquiries related to the Coupang security incident. Photo by Kim Hyunmin
When asked whether the incident should be classified as a 'leak' or an 'exposure,' CEO Park stated, "It is a leak." In response to Assemblyman Lee Hoonki of the Democratic Party of Korea, who pointed out that a fine of up to 1.2 trillion won could be imposed as a result of this incident, Park replied, "We do not intend to avoid responsibility."Regarding the possibility that information of dormant or withdrawn members was also leaked, he said, "I believe some were included," and explained, "That is why we have individually notified everyone, regardless of whether their accounts are dormant or withdrawn." He also responded that "some" shared entrance passwords may have been included in the leak.
Professor Kim recommended that Coupang users take preventive measures against secondary damage, such as deleting registered payment methods, changing card payment passwords, and changing Coupang account passwords. He advised, "To minimize the risk of further damage, it is safest to delete all registered payment cards." In contrast, Coupang stated, "No payment information has been leaked, and we are not aware of any secondary damage so far," expressing concern that excessive measures could unnecessarily heighten anxiety.
Meanwhile, CEO Park was also asked whether Bom Kim, Chairman of Coupang Inc. and founder of Coupang, intends to apologize for the incident. Park responded, "This happened within the Korean entity, under my responsibility, so I am the one to offer an apology," and added, "As the CEO of the Korean entity, I will take full responsibility and do my utmost to resolve the situation."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
