Supply vehicles for the Korean e-commerce large Coupang sit within the lot of a distribution middle in Seoul on Dec. 2, 2025, two days after information broke of an enormous leak of buyer information. (Yonhap)
The important thing suspect in a leak of non-public data from round 33.7 million customers of the web retailer Coupang is an authentication system developer for the enterprise, it has been discovered.
Whereas the information leaks from Coupang have been discovered to this point again to June of this 12 months, the revelation that the suspect in query departed the corporate in December 2024 raises the likelihood that the private information of customers was siphoned off earlier than then.
In an emergency interpellation session Tuesday earlier than the Nationwide Meeting Science, ICT, Broadcasting, and Communications Committee on the Coupang information leak, Coupang CEO Park Dae-jun defined that the previous worker suspected within the incident was a “developer of authentication methods.”
As lately because the day earlier than, it had solely been reported that the suspect was an worker accountable for authentication duties. The newest revelation confirms that the one that leaked the knowledge was a developer who would have had in depth data of the corporate’s authentication system construction.
On the session that day, Ryu Je-myung, the second vice minister of science and ICT, defined that the attacker “accessed and leaked buyer data a number of occasions by way of irregular means with out logging in.”
“Within the course of, an encryption key was used to electronically signal the authentication tokens used when connecting to Coupang servers,” he added.
Coupang CEO Park Dae-jun glances at Coupang Chief Info Safety Officer Brett Matthes as he responds to questions from lawmakers on the Nationwide Meeting Science, ICT, Broadcasting and Communications Committee on the Nationwide Meeting in Yeouido, Seoul, on Dec. 2, 2025. (Yoon Woon-sik/Hankyoreh)
However Park disputed claims that entry authority was retained even after the worker departed the corporate.
Stressing that the worker’s authorization was “revoked” in accordance with process, he went on to say, “For unknown causes, the violator was in possession of key values.”
Brett Matthes, Coupang’s chief data safety officer, defined that tokens are used for cost when a buyer logs in usually. He added that every one of Coupang’s authentication tokens have been signed by a non-public key, and that the attacker created false tokens by way of authentication with a non-public key obtained from inside Coupang.
In line with his rationalization, the shortage of a primary response from the corporate — together with the failure to delete the previous worker’s account — was not linked to the leak.
The dates of the assault, as at present ascertained by a joint personal sector-government investigation crew, have been discovered to have been between June 24 and Nov. 8.
However the revelation throughout the interpellation session in regards to the suspect having departed the corporate in December 2024 raised the likelihood that the purchasers’ data was leaked previous to June.
In the course of the session on Tuesday, Democratic Social gathering Rep. Lee Jeong-heon requested Korea College Graduate College of Privateness and Information Safety professor Kim Seung-joo about the potential for as-yet-undiscovered leaks having taken place at an earlier date.
“There’s a risk,” Kim replied.
Lee went on to ask about the potential for the suspect having stolen delicate buyer data, akin to bank card, cost, and login particulars, throughout their time on the firm. Kim likewise agreed that the likelihood existed.
In impact, the truth that Coupang initially detected the knowledge leak solely after the previous worker despatched a message reportedly threatening to show the corporate’s safety dangers suggests the necessity to think about the potential for extra data leaks having taken place earlier than the primary confirmed leak in June of this 12 months.
The Korean authorities is at present weighing a number of choices for punishment for Coupang, together with elevated penalties, punitive damages, and a suspension of operations. The Shopper Safety in Digital Commerce Act stipulates that companies could also be topic to punishments as much as and together with suspension of operations when an digital commerce transaction ends in monetary losses to prospects.
When requested about this throughout the Nationwide Meeting Session, Minister of Science and ICT Bae Kyung-hoon stated the matter can be “actively mentioned” with the related establishments.
By Website positioning Hye-mi, employees reporter; Solar Dam-eun, employees reporter
Please direct questions or feedback to [english@hani.co.kr]
