Korean gov't confirms 33.67 mil. user records leaked in Coupang breach

A Coupang truck at a logistics center in Seoul / Yonhap

A government-private investigation team confirmed Tuesday that more than 33 million user records of customers in Korea were leaked in last year’s massive data breach by U.S.-headquartered e-commerce giant Coupang.

According to the Ministry of Science and ICT, which led the team, the investigation found a total of 33.67 million user accounts consisting of names and email addresses had been leaked.

The team also noted that Coupang's delivery list page containing names, phone numbers, delivery addresses and anonymized apartment entrance passwords was accessed illicitly 148 million times during the breach, indicating that the scale of harm to users could grow.

Since Coupang allows users to save up to 20 delivery addresses as well as phone numbers per each account, the threat posed by the compromised data could extend beyond the number of affected accounts alone.

This screenshot of Coupang's delivery address list page shows information on users' names, addresses and phone numbers. Courtesy of Ministry of Science and ICT

Coupang has been claiming that 33.7 million accounts were affected by the breach but only around 3,000 records had been stored by the attacker. The claim has been inviting criticism that Coupang is seeking to play down the incident.

Choi Woo-hyuk, head of the ministry’s Office of Cybersecurity and Network Policy, stressed in a briefing that the unauthorized accesses to the delivery list page constitutes a data breach, saying “calling it an access does not mean less liability."

“Coupang’s own figure of 3,000 records is the company’s claim and serves only as a reference," he said. "We verified all materials independently. We examined Coupang’s servers to determine how much data was accessed by external attackers and how much was leaked.”

Choi Woo-hyuk, head of the Ministry of Science and ICT's Office of Cybersecurity and Network Policy, speaks during a press conference at Government Complex Seoul, Tuesday. Yonhap

According to Choi, the ministry confirmed that the attacker was a former Coupang employee who had developed user authentication software, and the person stole a signing key from an authentication system, conducted tests for the attack and then used web-crawling tools to copy large volumes of data.

Through this method, the attacker accessed Coupang’s services even after leaving the company and sent threatening emails to the company’s headquarters. The team also confirmed that the attacker had a system capable of transmitting the leaked data to overseas cloud servers, but said it remains unclear whether any data was actually transmitted.

The investigative team said Coupang’s internal rules stipulate that signing keys must be stored only within the management system and not on employees’ personal PCs, but added that cases were found in which current Coupang developers had stored signing keys on their laptops.

“The team identified shortcomings in the management of authentication systems and signing keys,” Choi said. “This is a clear management failure by Coupang, not a sophisticated attack.”

The ministry said Coupang also failed to report the incident promptly to the relevant authorities despite regulations, adding it will impose a fine on the company for delayed reporting and pursue a formal investigation, stressing that the company failed to preserve key evidence despite an earlier request.

The investigation results came about three months after Coupang became aware of the breach on Nov. 17. While there had been speculation that the team's announcement faced delays out of concerns over U.S. trade pressure and American politicians’ claims that the Korean government is discriminating against an American company, the probe team flatly denied the claims.

“The investigation team has never deviated from the law and principles,” Choi said. “We have not treated any company differently, and we are adhering to our principle of disclosing the results promptly and transparently as they become available.”

Regarding the investigation results, a Coupang official told Yonhap News Agency that the 148 million accesses to the delivery list page “does not indicate the scale of information breach.”

“The access count is the result of the attackers’ attempt to collect individual personal data linked to roughly 33.7 million accounts,” the official was quoted as saying.