"Change your door passcode right now. Our home addresses were accessed 150 million times."
Coupang's massive personal data breach resulted from a combination of the company's lax security systems and an individual's meticulous criminal planning. The perpetrator, a former Chinese employee, identified vulnerabilities in Coupang's security system while still employed. After resigning, the individual conducted preliminary tests before launching the attack. The government has ordered Coupang to strengthen its overall security infrastructure, including its signing key management system, but critics say this amounts to "closing the barn door after the horse has bolted."
According to the public-private joint investigation team under the Ministry of Science and ICT announced on the 10th, the perpetrator—who was responsible for designing and developing user authentication systems while at Coupang—identified weaknesses in the company's user authentication framework and stole signing keys that enabled unauthorized access to user accounts. After leaving the company, the individual used the stolen keys and internal information to forge authentication tokens functioning as digital access passes. This allowed bypassing Coupang's authentication system without normal login procedures. The perpetrator also conducted preliminary attack tests.
The large-scale data leak was executed through crawling, an automated data collection method. A total of 2,313 IP addresses were used in the process. Whether the stolen information was transferred overseas has not been definitively confirmed. While investigators verified that the perpetrator configured systems to enable transmission to overseas cloud servers, no records exist to confirm whether actual transfers occurred.
The brazen attack was enabled by lax security systems and complacent security awareness at Coupang, South Korea's largest e-commerce platform. According to the joint investigation team, most critically, no system existed to detect personal data breaches in advance. Coupang had identified vulnerabilities in its token-based authentication system through penetration testing but failed to implement remedial measures. Consequently, no procedures existed to verify whether the perpetrator's unauthorized access was legitimate.
Coupang's signing key management system was also deficient. The company should have taken measures to invalidate signing keys after employee departures, but failed to do so. Moreover, both developers and operators had access to the key management system. Although Coupang's internal regulations stipulated that signing keys should be stored only in the key management system and not on developer PCs, this rule was not enforced in practice.
Lee Dong-geun, vice chief of the joint investigation team, explained, "Since the attacker had already resigned and couldn't be investigated, we examined how current employees conduct their work. When we performed forensics on current employees' laptops, we confirmed they were storing keys, which indicated the former employee who carried out the attack could also have stored keys." This suggests risks of key leakage or misuse persisted even after the breach occurred.
The government has instructed Coupang to implement systems capable of blocking authentication tokens not issued through proper procedures and to develop fundamental solutions for vulnerabilities discovered during penetration testing.
Experts unanimously called for more thorough investigation, given that the Coupang breach could affect the entire nation's population. Lim Jong-in, emeritus professor at Korea University, stated, "With the perpetrator understood to currently be in China, the government has essentially just announced the damage scale and concluded the matter. Since Coupang previously released its own investigation results, a joint Korea-U.S. investigation is necessary to establish the full facts."
Meanwhile, the Personal Information Protection Commission plans to finalize and disclose the exact scale of personal data leaked at a later date. The joint investigation team maintains that secondary damages from the Coupang data breach have not yet been confirmed. Choi Woo-hyuk, Director General of Information Protection and Network Policy at the Ministry of Science and ICT, stated, "We understand that no payment information was leaked."