The “Amazon of Korea” Hit by Mega Breach

If the phrase “data breach affecting most of a country’s population” has become somewhat tiresome in a world of Yahoo and National Public Data breaches, don’t hit the snooze button just yet.  South Korea is presently going through a bit of a cybersecurity crisis, as nearly 34 million people have had their personal data exposed in an unprecedented breach for the nation. 

Major e-commerce platform Coupang, likened to a Korean Amazon with a massive customer base and tens of billions in revenue in recent years, experienced unauthorized access to its systems last June through overseas servers.  Coupang would detect the intrusion months later, finding that addresses and other contact details had been exposed, as well as personal order histories. 

Sixty-five percent of the 51.7 million population were ultimately caught up in this breach.  The culprit is allegedly a former employee from China, putting this case in the realm of insider threats if true.  During his employment, he was responsible for issuing authentication keys to allow internal network access.  Apparently his own access continued for months after leaving the firm, exploiting a vulnerability in authentication, all without its knowledge.  

It also raises the issue of internal access controls and valid key management.  A press release from the Korea’s National Assembly Science, ICT, Broadcasting and Communications Committee claims that “Coupang did not follow the most basic internal security procedure of renewing the signing key,” and that structural problems throughout the firm allowed for authentication to be exploited.

“This is akin to a deserter freely entering and exiting a military base by receiving daily passwords,” says Professor Hwang Suk-jin of Dongguk University’s Graduate School of Information Security.  Blame also seems to rest on recent company management, which has weakened internal oversight and regulations in favor of other business priorities.  No wonder, then, that a group of users have already sued Coupang.  South Korean President Lee Jae Myung has also joined his voice to call for harsher penalties for corporate negligence.  An investigation from the Personal Information Protection Commission is also underway, to determine whether the company violated its information security measures, including access controls or data encryption.  Such is the scandal that Coupang’s CEO has just resigned.

Previous mega breaches to impact the country have involved 27 million customers of SK Telecom and 3 million of Lotte Card, a South Korean card issuer.  Bloomberg estimates this case will break records even further, and maybe cost Coupang 1.2 trillion won ($814 million) in damages.  Updates to the record books show no signs of stopping.  All any organization can and must do is ensure they have proper authentication and encryption standards in place against accidental or intentional sabotage.

NetLib Security’s powerful Encryptionizer solution offers transparent encryption for stored data across all environments – physical, virtual and cloud – with almost zero impact on performance.  No additional programming is required.  Too many data breaches, whether through external or internal causes, could be stopped in their tracks if sensitive data was encrypted and made useless to cyber crime.  Encryption is simply not optional.