koreajoongangdaily.joins.com
BY LEE YOUNG-KEUN, KIM JI-HYE
The former Coupang employee accused of leaking 33.7 million customer data had worked at the company for just two years, according to police on Thursday.
According to the Seoul Metropolitan Police Agency and sources familiar with the case who spoke to the JoongAng Ilbo, the suspect in the data breach — identified as a 43-year-old developer and Chinese national — was affiliated with Coupang's Seoul office. The person joined Coupang in November 2022 and was assigned to work on a key management security system before leaving the company late last year.
It’s difficult to understand from a common sense perspective why a newly hired developer with foreign nationality would be given access to sensitive customer information — especially in today’s security-conscious corporate environment,” said an industry source. “Given that such duties typically require strict security training and pledges, it raises questions about whether the company’s protocols were adequate.”
Coupang disclosed on Nov. 29 that approximately 37.7 million customer accounts had been exposed. The compromised data includes names, email addresses, saved delivery addresses, partial order histories and, in some cases, access codes for shared building entrances.
Due to the massive scale of the breach, police have been raiding Coupang’s headquarters in Songpa District, southern Seoul, for three consecutive days since Tuesday. Thursday's raid began around 9:40 a.m. Investigators are focused on securing records that can explain how the suspect allegedly gained access to Coupang’s security system and extracted the data. These include internal documents, work logs and system records related to the key management platform the suspect worked on during the employment period.
Police are also analyzing logs stored in the company’s security system, such as IP addresses, user credentials and access histories.
Coupang filed a criminal complaint with police on Nov. 25 regarding the leak. The police initially began an investigation based on documents submitted voluntarily by the company, but launched a compulsory search starting Tuesday. Investigators plan to trace the suspect’s methods and movements using the evidence collected in the raid. If Coupang’s negligence or legal violations are uncovered in the process, the company — currently treated as the victim — and employees responsible for handling personal information may also become subjects of investigation.
Meanwhile, the number of phishing scams linked to the Coupang breach has surged in recent days. According to Democratic Party lawmaker Lee Jeong-heon of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, police received 229 phishing reports between Nov. 30 and Tuesday.
Most reports involved scams impersonating Coupang and offering fake compensation or claiming to be sending deliveries. Other familiar tactics, such as fake product review programs or phony prize announcements, were also used — many of which predate the breach.
“This incident is raising serious concerns over secondary damage such as phishing crimes,” Lee said. “Coupang and Executive Chairman Kim Bom must stop hiding behind silence and urgently take responsibility with transparent disclosure and a comprehensive compensation plan.”
Korea JoongAng daily
Friday
October 17, 2025
The Korean government officially acknowledged Friday that hackers had accessed the Onnara system — a government work management platform — and administrative digital signature certificates called the government public key infrastructure (GPKI), which are essential for civil servant authentication.
Authorities said they are investigating how the breach occurred and assessing the extent of the damage, while also implementing new security measures.
During a press briefing at the government complex in Sejong, the Ministry of the Interior and Safety confirmed that “in mid-July, the National Intelligence Service (NIS) discovered signs that an external party accessed the Onnara system via the Government Virtual Private Network (G-VPN).”
Two months to acknowledge hacking
The statement came two months after a report by Phrack Magazine, a U.S.-based cybersecurity publication, claimed that the Ministry of the Interior and Safety, Ministry of Foreign Affairs, Ministry of Unification, Ministry of Oceans and Fisheries, telecom companies KT and LG U+ and private tech firms including Daum, Kakao and Naver, had all been targeted by hackers.
Until now, the Korean government had remained silent, but on Friday, it acknowledged the report’s claims were accurate.
The NIS is currently working with relevant agencies to determine how the breach occurred and to evaluate the scope of any data leaks. While the Ministry of the Interior and Safety said there has been no confirmed leak of government documents so far, it did not rule out the possibility of such leaks being uncovered during the investigation.
In response to the breach, the government has taken steps to strengthen its cybersecurity protocols.
“Since Aug. 4, remote access to the G-VPN has required not only digital signature authentication but also phone-based verification,” said Lee Yong-seok, head of the digital government innovation office at the Interior Ministry. “Additionally, we completed measures to prevent the reuse of login credentials for the Onnara system, which were applied to all central and local government agencies on July 28.”
Regarding GPKI, the government reviewed the validity of all certificates with information provided by the NIS. Most of the compromised certificates had already expired, and those that were still valid were revoked as of Aug. 13, according to the ministry.
NIS still investigating breach origin
The government also shared the preliminary results of its investigation into the cause of the breach, attributing it to user negligence that led to certificate information being leaked externally.
“All central and local government agencies have been instructed to stop sharing certificates and to strengthen management protocols,” the Interior Ministry said.
Although the North Korean hacking group Kimsuky was initially suspected to be behind the attack, the NIS said there was insufficient evidence to definitively identify the perpetrator. Kimsuky is known for targeting diplomatic, security and defense sectors to gather intelligence for the North Korean regime.
To counter security threats related to certificate theft or duplication, the government announced plans to replace GPKI-based authentication with biometric multi-factor methods, such as mobile government IDs for public officials.
The government also intends to expand the use of secure authentication technologies — including biometric-based digital IDs — across public services for the general population.
“If the NIS identifies any additional issues, we will immediately address and respond to them,” Lee said. “We will do everything we can to prevent a similar incident from happening again.”
Korea JoongAng Daily
Wednesday
October 1, 2025
BY JEONG JAE-HONG [yoon.soyeon@joongang.co.kr],D
A fire at the National Information Resources Service (NIRS)'s Daejeon headquarters destroyed the government’s G-Drive cloud storage system, erasing work files saved individually by some 750,000 civil servants, the Ministry of the Interior and Safety said Wednesday.
The fire broke out in the server room on the fifth floor of the center, damaging 96 information systems designated as critical to central government operations, including the G-Drive platform. The G-Drive has been in use since 2018, requiring government officials to store all work documents in the cloud instead of on personal computers. It provided around 30 gigabytes of storage per person.
However, due to the system’s large-capacity, low-performance storage structure, no external backups were maintained — meaning all data has been permanently lost.
The scale of damage varies by agency. The Ministry of Personnel Management, which had mandated that all documents be stored exclusively on G-Drive, was hit hardest. The Office for Government Policy Coordination, which used the platform less extensively, suffered comparatively less damage.
The Personnel Ministry stated that all departments are expected to experience work disruptions. It is currently working to recover alternative data using any files saved locally on personal computers within the past month, along with emails, official documents and printed records.
The Interior Ministry noted that official documents created through formal reporting or approval processes were also stored in the government’s Onnara system and may be recoverable once that system is restored.
“Final reports and official records submitted to the government are also stored in OnNara, so this is not a total loss,” said a director of public services at the Interior Ministry.
The Interior Ministry explained that while most systems at the Daejeon data center are backed up daily to separate equipment within the same center and to a physically remote backup facility, the G-Drive’s structure did not allow for external backups. This vulnerability ultimately left it unprotected.
Criticism continues to build regarding the government's data management protocols.
