Did Former Employee Accounts Remain Open and Overseas Server Access Go Unchecked? ... Key Questions for the Government-Private Joint Investigation Team

원본보기 아이콘

As the scandal over the leak of 33.7 million Coupang user records spreads uncontrollably, attention is focusing on the joint public-private investigation team tasked with uncovering the technical details of the incident.

At a National Assembly Science, ICT, Broadcasting, and Communications Committee inquiry held on December 2, Ryu Jemyung, the Second Vice Minister of Science and ICT, stated, "The attacker exploited authentication vulnerabilities in Coupang's servers to repeatedly access customer information from June 24 to November 8 without going through the normal login process." He officially confirmed the misuse of encryption keys and abnormal access over a five-month period. Based on the fact that information from more than 30 million accounts was accessed without authorization, the government has implemented emergency response measures and actions to prevent secondary damage.

While Coupang has asserted that "no payment information or account passwords were leaked," doubts persist over whether it can be definitively stated that only certain information was compromised, given that the breach went undetected for five months. The situation is becoming increasingly complex, especially as multiple key technical factors have been identified, such as evidence of server access from overseas, the possibility that accounts belonging to former employees remained active, and the procedures for revoking authentication keys.

Experts point to the "actual scope of the leaked data" as the central issue in this case. They note that, in addition to the personal information Coupang has identified, there is a possibility that account details, payment and credit information, and authentication data may also have been exposed. Kim Myungjoo, Director of the Artificial Intelligence Safety Research Institute, said, "It is difficult to be certain that 'only this information was leaked' when the breach went undetected for five months," emphasizing, "The investigation team must proceed under the assumption that all information held by Coupang could have been leaked." Since data can be extracted by duplication, it is pointed out that even if records remain inside the system, it cannot be conclusively determined whether a leak occurred.

Another question is the evidence of server access from overseas. Experts agree that analysis should consider multiple possibilities, such as whether administrator-level authentication keys or accounts were used externally, and whether the system was vulnerable to virtual private network (VPN) or proxy access. Park Chunsik, Professor of Information Security at Seoul Women's University, pointed out, "It is even more serious that neither insider accounts nor vulnerability-based access were detected."

The controversy over overseas access is also linked to the issue of controlling accounts belonging to former employees. If authentication keys were not properly revoked and remained active after an employee left the company, data could have been leaked through normal login processes. Hong Junho, Professor of Converged Security Engineering at Sungshin Women's University, said, "Authentication and encryption keys must be strictly managed from creation to revocation. If keys belonging to former employees remained active for an extended period, it is a clear sign of inadequate internal controls." A security company CEO, speaking on condition of anonymity, commented, "There are so many IT systems running at Coupang, and security should be automated based on a 'zero trust' framework, where access rights are tightly controlled for each system. However, it seems that things were handled manually instead. There may have been mistakes or tacit approval by those in charge."

Another key issue is the current location of the leaked data. Lee Hyungtaek, Director of the Korea Ransomware Response Center, said, "It is unlikely that whoever obtained the data did nothing with it," adding, "There may have been private negotiations between Coupang and the leaker, but if those talks broke down, it could have led to external exposure." He explained that when hackers demand large sums of money, companies often opt for quiet negotiations to avoid traceable transactions, but if negotiations fail, it is common for hackers to release the data on the dark web to pressure the company.

It is also essential to determine who took the data and by what route. Without a strict security framework, it is technically not difficult for an internal developer or someone with privileges to download large amounts of data simply by knowing authentication information. Lee also pointed out that the possibility of internal collusion cannot be ruled out.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.