It was confirmed that the former Coupang employee who leaked a massive trove of personal information viewed the address list page, which contains names, phone numbers, and addresses, about 148 million times. From the ‘Edit My Information’ page alone, 33,673,817 name and email records were leaked, and the final, precise tally to be confirmed and announced by the Personal Information Protection Commission is expected to grow further. The government pointed to “Coupang’s poor management” as the cause of the incident.

On the 10th, the Ministry of Science and ICT announced the findings of the public-private joint investigation into the Coupang breach. The incident erupted when a former Coupang employee of Chinese nationality, referred to as Mr. A, leaked users’ personal information.

An analysis by the investigation team of 25.6TB of Coupang access logs from November 29, 2024 to December 31 of last year found that 33,673,817 name and email records were leaked from the Edit My Information page. This is similar to the government’s initial estimate of 33.7 million compromised accounts.

Mr. A viewed the address list pagewhich includes names, phone numbers, delivery addresses, and apartment entrance passwords masked with special charactersapproximately 148.05 million times in total (including duplicates). Because the address list contains numerous third-party details such as those of family members and friends in addition to the account holder’s own information, the pool of affected individuals could widen.

Choi Woo-hyuk, head of the Information Security and Network Policy Bureau at the Ministry of Science and ICT, said, “A view constitutes a leak,” while adding, “The Personal Information Protection Commission will make the final announcement on the precise scale of the personal information leak.” The address list page allows up to 20 delivery addresses to be registered and includes various data, making it difficult to calculate the scale of the leak.

The address list edit page that included unmasked apartment entrance passwords was viewed 50,474 times, and the order list page showing a user’s recent purchases was viewed 102,682 times. The investigation team stated, “No secondary damage attributable to the personal information leak has been identified to date.”

Starting in January of last year, Mr. A conducted attack tests based on vulnerabilities he had been aware of while employed at Coupang. From April 14 to November 8 of last year, he used automated web crawling attack tools to exfiltrate data on a large scale. He used a total of 2,313 IP addresses in the process. It has not been confirmed whether the data were transmitted to external cloud servers located overseas. Mr. A also sent two emails to Coupang, on November 16 and 25 of last year, notifying the company of the leak.

The investigation team cited Coupang’s poor management of its information protection system as the cause of the leak. Choi said, “This is clearly a management problem,” adding, “It is hard to view it as a sophisticated attack.”

Under normal access, a Coupang user goes through the login process to receive a kind of ‘electronic pass’. Coupang’s gateway server verifies whether the issued electronic pass is valid and, if nothing is amiss, allows access to the service.

Mr. A stole the signing key of the user authentication system he had managed while employed, then forged and altered the electronic pass to bypass Coupang’s authentication framework. As a result, he was able to access Coupang’s services without going through the normal login process.

Coupang failed to detect or block access attempts that used forged or altered electronic passes. Its mechanism to verify whether an electronic pass had been issued through the proper process was inadequate. It also emerged that developers stored signing keys on laptops, creating risks of key leakage and misuse, and that there was no key history management system. Legal violations were also identified, including delayed incident reporting and noncompliance with data preservation orders. The investigation team has referred the deletion of web and application logs for criminal investigation.

Some have speculated that the government rushed to announce the findings ahead of a “Coupang hearing” in the U.S. House of Representatives examining alleged discrimination by the Korean government. In response, Choi drew a line, saying, “This has nothing to do with external factors.” He said, “We have never discriminated against any company,” and, “We have been adhering to the principle of disclosing results swiftly and transparently as soon as they are available.” Regarding Coupang’s own finding that Mr. A had stored a little over 3,000 items of personal information, he said, “That is merely the subject entity’s claim.”

Based on the findings, the Ministry of Science and ICT will have Coupang submit an implementation plan for recurrence prevention measures within this month and will review the results by July.

Coupang said that day, “We have never denied the previously cited scale of roughly 33.7 million affected accounts,” adding, “We have notified roughly 33.7 million people of the personal information leak and have provided a compensation plan (purchase vouchers).”