Coupang Delivery Addresses Viewed 140 Million Times?... External Transfer of Leaked Data Not Proven

As the public-private joint investigation team announced its findings on Coupang's massive personal data leak, the authenticity of the "external storage of 3,000 accounts" that had fueled suspicions of a Coupang "self-investigation" remains unclear, drawing attention to follow-up announcements.

On the 10th, the Ministry of Science and ICT issued a provisional announcement at the Government Complex Seoul on the results of the public-private joint investigation into the Coupang breach. Earlier, the ministry had analyzed 25.6 terabytes (TB) of remaining Coupang web access logs (6,642,000,000,000 data entries) starting from November 29 last year and confirmed that more than 33.67 million items of user names and email addresses were leaked from the Coupang "Edit My Information" page. This figure is similar to the approximately 33.7 million cases of personal data leakage that Coupang had announced through its own investigation in November last year.

The joint investigation team stated that the attacker who accessed Coupang’s personal data viewed the "delivery address list page" more than about 148 million times, during which the attacker viewed personal information including customer names, phone numbers, delivery addresses, and apartment entrance passwords that had been de-identified using special characters. This figure represents the number of times the attacker visited the delivery address list page. In detail, the apartment entrance passwords were viewed in more than about 50,000 cases along with names, phone numbers, and addresses, and the list of recently ordered products was viewed more than about 100,000 times on the "order list page."

The scale of the leak announced by the joint investigation team on this day was calculated based on web access logs and similar records. The exact scale of the personal data leak will later be finalized and announced by the Personal Information Protection Commission. However, the attacker’s identity, which had been mentioned as having a specific nationality, was excluded from the announcement, and the detailed scale of the leak was also left for the commission to disclose at a later date, leading to assessments that the announcement falls short of fully dispelling suspicions.

Notably, the investigation results of the joint investigation team did not reveal how much of the information exfiltrated by the attacker was stored on external storage devices, or whether it was deleted. Previously, on December 25 last year, Coupang announced the results of its investigation into the attacker, which it claimed to have forensically verified, stating, "The perpetrator acted alone and stored limited customer information from 3,000 accounts only on a personal desktop PC and a MacBook Air laptop." It further added the attacker’s statement that "this information was never transmitted externally and all customer information was deleted."

The government side downplayed Coupang’s announcement as being based on a self-conducted investigation, thereby limiting its significance,. At a joint hearing on Coupang held in December last year, Baek Younghoon, Deputy Prime Minister and Minister of Science and ICT, said, "We cannot simply take their word for it that everything except the 3,000 cases was deleted on November 29; we have to investigate everything," adding, "Deleted data can be restored from hard disks, it can be stored in some cloud service, and it can be stored elsewhere, so we have to investigate all of that."

Choi Woohyuk, Director of the Information Protection and Network Policy Office at the Ministry of Science and ICT, announces the results of the public-private joint investigation into the Coupang breach at the Government Complex Seoul in Jongno-gu, Seoul, on the 10th. Photo by Cho Yongjun

This is seen as stemming from diverging interpretations between the government and Coupang regarding the basis for determining a personal data breach. Under the current Standard Personal Information Protection Guidelines, a personal data breach is defined as "a situation in which personal information has left the control or management of the personal information controller and has come into a state where a third party can become aware of its contents." The Coupang side argued that although the attacker accessed more than 33 million items of customer information, the data actually stored was about 3,000 items, and therefore the actual breach amounted to 3,000 cases.

Choi Woohyuk, Director of the Information Protection and Network Policy Office at the Ministry of Science and ICT, explained, "The 3,000 cases are what Coupang has stated, and that is only a reference factor," adding, "Under the guidelines of the Personal Information Protection Act, we consider the information to have been leaked from the moment it was viewed."

However, in the announcement on this day, it was not confirmed whether the attacker transmitted the leaked information to an external cloud service, and matters related to the identity of the perpetrator were also left within the scope of the criminal investigation. A security industry official said, "There are technical limitations in that even through forensic investigation it may be impossible to obtain concrete evidence of an actual cloud exfiltration, so the attacker would need to be further questioned directly in order to determine whether there was any external transmission," adding, "Ultimately, we cannot rule out the possibility that it will prove impossible to determine whether 33.67 million items of personal information were actually leaked externally."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.