The Ministry of Science and ICT, the Seoul Metropolitan Police Agency, and other relevant agencies conducted an on-site investigation after receiving a report of a breach on Nov. 19 and a report of a personal information leak on Nov. 20. The investigation confirmed that the attacker exploited an authentication vulnerability in Coupang’s servers, bypassing the normal login process and leaking customer information.
The government launched a joint public-private investigation team on Nov. 30, and the Personal Information Protection Commission is investigating whether Coupang violated its personal information protection safety measures — access control, access authority management, encryption, etc. As a service with such a high user base that it’s often called the “Amazon of Korea,” Coupang issued a public security notice on Nov. 29 to prevent secondary damage. Furthermore, a three-month period, starting Nov. 30, will be dedicated to strengthening the monitoring of personal information leaks and illegal distribution online.
Meanwhile, Choi Min-hee, Chairwoman of the National Assembly Science, ICT, Broadcasting and Communications Committee, released the results of an analysis of the specific causes of the incident in a press release on Nov. 30. According to information received from Coupang, the company reportedly responded that “the token signing key validity period is often set to 5 to 10 years,” adding that “the rotation period is long and varies greatly depending on the key type.”
