Police obtain access logs from Coupang security system to determine origins of leak

Police investigating a massive personal data breach at Coupang have secured records from the company’s key management system, software that encrypts data and issues credentials for user access.

Banners condemning Coupang hang in front of the company’s headquarters in Songpa District, southern Seoul, on Sept. 9, as police conduct search and seizure operations over a personal data breach. [NEWS1]

Police investigating a massive personal data breach at Coupang have secured records from the company’s key management system used to encrypt data and issue credentials for user access.

Investigators are also examining the motive and circumstances behind the leak allegedly carried out by a Chinese national suspect who worked at Coupang and major overseas companies in a role described as “a developer above developers.” A joint public-private investigation team is also reviewing whether Coupang took adequate security measures in connection with the incident.

Police seized and searched logs to Coupang’s key management system, HashiCorp Vault, used by the Chinese suspect and a Coupang employee responsible for authentication system development, according to the Seoul Metropolitan Police Agency and IT industry sources on Sunday. The records cover the period from April 11, 2024, to Nov. 8 this year and include account usage, export, disposal and management histories.

HashiCorp Vault is a security software system akin to a safe that securely stores sensitive information such as passwords and API keys, allowing access only when necessary. It centralizes and encrypts sensitive data and issues temporary authentication keys solely to authorized users.

Experts say that by obtaining HashiCorp Vault usage records, police will be able to broadly assess responsibility for the breach and Coupang’s overall security management practices, as HashiCorp Vault retains audit logs that allow investigators to trace security incidents. This could help determine key issues, including whether access privileges that should have expired when the suspect left the company in late 2024 remained active and whether access revocation was properly handled.

Police have effectively secured "evidence to determine whether Coupang’s personal data protection policies aligned with the actual operation of its key management system," according to Park Moon-beom, a senior researcher at information security firm 78 Research Lab.

"But if logs were deleted or reset after the incident, or if the retention period had already expired, the investigation could face difficulties," said Park.

Analysts also warn that if investigations find Coupang maintained its security insufficiently, the findings could work against the company. Industry officials note that it is not uncommon for companies to implement security systems while operating them under lax internal policies.

Police officers carry seized materials out of Coupang’s headquarters in Songpa District, southern Seoul, on the afternoon of Sept. 9, after completing a search and seizure as part of a forced investigation into a massive personal data leak. [NEWS1]

“Security and convenience are fundamentally at odds,” a member of domestic white hat hacking group TeamH4C said. "Overly strict security measures can burden users and hurt productivity. "

Following the data breach, police have continued search and seizure operations at Coupang’s headquarters for a fifth straight day through Saturday.

The JoongAng Ilbo's reports found that the suspect is believed to be a mid-career developer with around 20 years of experience. After graduating from a computer science department at a university in China, he built his career at a Nasdaq-listed company and previously held a middle management position. At Coupang, he worked as a staff software engineer.

A staff software engineer is “a role that goes beyond routine development, carrying a high level of autonomy, authority and responsibility over specific systems or technical domains," said an IT industry official.

To determine the motive behind the leak, police have seized the suspect’s personnel records, including performance evaluations and disciplinary history, as well as PCs, laptops and USB drives he used while working at Coupang’s Seoul office. Investigators are also broadly collecting Coupang’s internal organizational charts and lists of IT-related employees — including names, ranks, roles, nationalities and phone numbers — covering the period from November 2022 to January this year.

Bom Kim, founder and CEO of Coupang Inc [JOONGANG ILBO]

Meanwhile, Coupang Chair Bom Kim and other senior executives will not appear as witnesses at a Coupang-related parliamentary hearing scheduled for Wednesday.

“Because of unavoidable official business schedules as the CEO of a global company operating in over 170 countries, I am unable to attend the hearing,” Kim said in a written explanation submitted to the National Assembly on Sunday.

Former Coupang CEOs Park Dae-jun and Kang Han-seung also submitted written statements citing their reasons for nonattendance.

“Every single reason given is irresponsible and unacceptable,” Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, wrote on Facebook on Sunday. “As committee chair, I will not accept them and will pursue appropriate accountability together with committee members.”

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom. BY LEE YOUNG-KEUN, KIM JEONG-JAE [kim.minyoung5@joongang.co.kr]