A banner denouncing Coupang is hung in front of the Coupang headquarters in Songpa-gu, Seoul, on the 9th, when the police conducted a search and seizure related to Coupang’s personal information leak incident. News1
The police have secured the records of Coupang’s key management system, which serves as their ‘security vault’, in the investigation of the massive Coupang personal information leak case, it was learned on the 14th. Police are also investigating the intention and circumstances under which a Chinese national suspect, known to have worked at Coupang and prestigious overseas companies in a position referred to as the “developer above developers,” leaked information. Additionally, a joint government-civilian investigation team is looking into whether Coupang took appropriate security measures in relation to this incident.
According to the Seoul Metropolitan Police Agency’s Cyber Crime Investigation Unit and the IT industry, the police secured access records and account usage, export, disposal, and management histories from the key management system ‘Hashicorp Vault’ by a Chinese suspect, A (43), and a Coupang employee between April 11 last year and the 8th of last month. Vault is a type of security software that safely stores sensitive information such as passwords and API keys, allowing usage only when necessary. It provides functions like centralizing and encrypting sensitive information and issuing temporary authentication keys only to authorized individuals.
Experts suggest that by obtaining these Vault usage records, the police can broadly examine the structure of responsibility for the incident and the state of Coupang’s security management. Since Vault retains audit logs, it offers the ability to track security incidents. Using this information, issues such as whether A’s authorization, which should have expired when he left the company late last year, remained active and whether permissions were appropriately revoked, can be clarified through investigation.
Police officers carry away confiscated items after completing a forced investigation into Coupang, which caused a massive personal information leakage, at Coupang’s headquarters office in Songpa-gu, Seoul, on the afternoon of the 9th. News1
Park Moon-beom, a senior researcher at “78 Research Lab,” a specialist in information security, noted, “The police have secured critical evidence that can determine whether Coupang’s personal information protection regulations aligned with the actual operation of the key management system.” However, he also added, “If logs were deleted or reset after the incident, or if their retention period has passed, the investigation might face difficulties.”
If the police and joint government-civilian investigation team discover that there is merely an appearance of security with no substance, it might work against Coupang. Industry insiders point out that it is not uncommon for companies to introduce security systems but operate them with lax security policies. A representative from the domestic white-hat hacking team ‘TeamH4C’ said, “In principle, security and convenience are in a conflicting relationship,” explaining that overly strict security can make it difficult for users and impact productivity.
Currently, following the Coupang information leak incident, the police have continued their search and seizure for the fifth consecutive day as of the 13th. Comprehensive coverage by the JoongAng Ilbo suggests that A is identified as a mid-career developer with about 20 years of experience. After graduating from a computer science program at a Chinese university, he gained experience at a NASDAQ-listed company and held a mid-managerial role in his previous job. At Coupang, he worked as a Staff Software Engineer, a position which, according to an IT industry insider, entails a high degree of autonomy, authority, and responsibility in particular systems or technological areas beyond that of a typical developer.
The police seized A’s personnel records, performance evaluations, disciplinary records, and the PC, laptop, and USB he used while working at Coupang’s Seoul branch to understand the motives behind the information leak. Additionally, they are broadly securing Coupang’s internal organizational structure and lists of employees in IT-related departments, including job titles, duties, nationalities, and phone numbers, from November 2022 to January 2025.
Kim Bom-suk, Coupang Inc’s Chairman of the Board. Photo by Coupang
Meanwhile, key executives at Coupang, including Chairman Kim Bom-suk, have decided not to attend Coupang’s hearing on the 17th as witnesses. In a non-attendance reason letter submitted to the National Assembly on the 14th, Chairman Kim explained, “Currently residing and working overseas as the CEO of a global company operating in over 170 countries worldwide, I am unable to attend the hearing due to official business engagements and ask for your understanding.” Previous Coupang executives, Park Dae-joon and Kang Han-seung, also submitted non-attendance letters.
On this day, Choi Min-hee, Chair of the National Assembly’s Science, ICT, Broadcasting, and Communications Committee, stated on Facebook, “I cannot accept them as they are all irresponsible reasons,” adding, “As the chairperson of the committee, I will disallow them and work with committee members to demand appropriate responsibility.”