Breach At South Korea's Equivalent of Amazon Exposed Data of Almost Every Adult (wsj.com) 32
An anonymous reader quotes a report from the Wall Street Journal: The alleged perpetrator had improper access to virtually every South Korean adult's personal information: names, phone numbers and even the keycode to enter residential buildings. It was one of the biggest data breaches of recent years and it has sent the company it targeted -- Coupang, South Korea's equivalent of Amazon -- reeling, generating lawsuits, government investigation and calls to toughen penalties against such leaks. The leak went undetected for nearly five months, hitting Coupang's radar on Nov. 18 only after a customer flagged suspicious activity.
At first, Coupang, which was founded by a Korean-American entrepreneur, said it had experienced a data "exposure" affecting roughly 4,500 customer accounts. But within days, the e-commerce firm revised the figure: The leak exposed up to roughly 34 million user accounts in South Korea -- a sum representing more than 90% of the country's working-age population. Coupang started calling the incident a "leak" after Korean regulators took issue with the company's prior word choice. "The Whole Nation Is a Victim," read one local news headline.
An investigation has found that the alleged perpetrator had once worked in South Korea as a software developer for authentication systems at Coupang, which is known for its blockbuster U.S. initial public offering a few years ago. The suspected leaker is believed to be a Chinese national who has moved back to China and is now on the lam, South Korean officials say. They haven't named the person. Even after leaving the firm roughly a year ago, the suspect secretly held on to an internal authentication key that granted him unfettered access to the personal information of Coupang users, South Korean authorities and lawmakers say. The infiltration, using overseas servers, started on June 24. By using the login credentials, the suspect was able to appear as if he were still a Coupang employee when accessing the company's systems.
At first, Coupang, which was founded by a Korean-American entrepreneur, said it had experienced a data "exposure" affecting roughly 4,500 customer accounts. But within days, the e-commerce firm revised the figure: The leak exposed up to roughly 34 million user accounts in South Korea -- a sum representing more than 90% of the country's working-age population. Coupang started calling the incident a "leak" after Korean regulators took issue with the company's prior word choice. "The Whole Nation Is a Victim," read one local news headline.
An investigation has found that the alleged perpetrator had once worked in South Korea as a software developer for authentication systems at Coupang, which is known for its blockbuster U.S. initial public offering a few years ago. The suspected leaker is believed to be a Chinese national who has moved back to China and is now on the lam, South Korean officials say. They haven't named the person. Even after leaving the firm roughly a year ago, the suspect secretly held on to an internal authentication key that granted him unfettered access to the personal information of Coupang users, South Korean authorities and lawmakers say. The infiltration, using overseas servers, started on June 24. By using the login credentials, the suspect was able to appear as if he were still a Coupang employee when accessing the company's systems.
Slashdot needs a long-term discussion mechanism (Score:2)
Some stories are worth more discussion than the standard scrolling time allows... I think Slashdot should allow for some stories to move down the front page more slowly than others.
Wrong solution. (Score:3)
Trying to increase penalties is incredibly stupid. That only makes things worse. Let me be clear There is NO way to stop this kind of breach from happening again.
The problem is that morons believe they will never be robbed. There is no one with perfect security. The more valuable your data, the more likely it WILL be broken into. Every security professional or database designer (AND their bosses) should be required to sign a statement that says this every year.
AI will only make it worse as bad actors / governments will begin to set AI to find the exploits.
The only solution is to prevent companies from collecting and maintaining this level of information.
There was no need for a single database to contain 34 million people's key addresses and key codes to enter residential building. No need for a database to contain more than keycodes for more than a single building. Even if your company owns multiple buildings or runs security for multiple buildings.
The proper solution is to outlaw the creation of such massive databases. You want to contain information on more than 1 million people? Then there should be massive limitations on what it can contain. No passwords at all for something that large. Name, Address and Phone numbers should already be suspect at 1 million entrees.
If you have 34 stores, then keep 34 separate databases that have a different security system for each of them.
Re: (Score:2)
Increasing penalties will just create more people who had no active ability to change stuff, but are left to hang out to dry as a sacrifice. Stuff will still go on.
Re: (Score:2)
Even worse, harsher penalties will lead to more coverups and less disclosure.
Coupang voluntarily reported the breach. That should be encouraged.
Re: (Score:2)
Yes, this has been said by many people, in many countries over many decades. In some cases this sensative data is being kept years after a customer ceases business.
In this case I shake my head at the laziness of the security team, as credential management in Sec/Sys/Dev/Ops/CM is pretty standard, but does need the company culture that it matters, or one ends up with main admin password pairs being "admin/
Re: (Score:2)
So are you saying that no business should be allowed to have more than one million customers? If you're operating an online retailer, you can't really avoid storing the name, address, and contact details for each customer, and a password for them to log in - otherwise, how do they log in, and get a parcel delivered? And if you have 34 million customers, you have 34 million people's personal data.
Re: Wrong solution. (Score:2)
We all know that this data is a lot more than just name and address. Apart from that, that data doesn't need to be accessible outside a strictly limited time window and can be encrypted at any other time. This means it should perhaps have its own system.
I once worked for the tax authorities and recommended they split up their archive in two parts: one containing the search keys, such as social security numbers, names etc, as well as indexes to random document keys, and the other containing the actual data a
Re: (Score:2)
Increased complexity does not mean increased security.
In fact, it encourages people to create easy access methods (cheats) to simplify their work flow. These cheats decrease security.
Re: (Score:2)
No I am saying that no single database should exist for all of their customers.
Amazon does not need to store passwords in the same database they store the sales information in. One database could contain just their encrypted passwords and the emails.
Another could store customers names and addresses.
And each database could be under the control of a different director who gets to maintain their security in a different manner.
Also, Amazon has different businesses. No need for the kindle unlimited accounts to
Keep some data near-line (Score:1)
Things like building-access-codes don't need to be kept on a "live" database. If a customer places an order, the key-access-code for that specific customer can be copied from nearline storage to "live" storage well before delivery, then deleted after delivery is complete.
This way, if the "live" database is completely compromised, only the relatively-few customers who have pending or very-recently-delivered items will have their key-access-code data stolen.
A similar principle can apply to the customer's con
yes, I know that this is a different problem (Score:1)
The problem in this case was a stolen credential that was left usable for an extended period of time. Near-line storage alone would've only been a small "bump in the road" for this particular leak, assuming the person knew enough to ask for all the data to be loaded from near-line storage before stealing it.
Re: (Score:2)
Re: (Score:3)
>> if the bad actor had unlimited employee access
There's no reason for any employee to have unlimited access. That was the point. Everyone should be limited and encapsulated to the work at hand.
Re: (Score:2)
The last time I left a company, I had a high (but not unlimited) level of access there. On leaving, I had to return my access card, my tamagotchi (the device which gave me the 6-digit code I needed to log in, the code changed every 10 or 12 seconds) and my laptop. I did forward my emails and phone to my private account, partially so I could tell people who asked that I'd left and partially to see how long it took them to delete them (it was almost exactly 3 months).
Why did Coupang not have similar securit
Re: Keep some data near-line (Score:2)
indeed, it's pretty easy to set up. Except if he was the one setting it up, with a key that was excepted from this rule.
Re: (Score:2)
Re: (Score:2)
https://www.zscaler.com/resour... [zscaler.com]
Re: (Score:2)
Re: (Score:2)
It means that everyone is limited and encapsulated to the work at hand.
Re: (Score:2)
Re: (Score:2)
Someone or group will need to be able to assign access I agree. But in this case "perpetrator had once worked in South Korea as a software developer for authentication systems" and "the suspect secretly held on to an internal authentication key that granted him unfettered access to the personal information of Coupang users". There should be no such key, and obviously they should be able to revoke all access keys a previous employee has held.
Will we finally learn our lesson? (Score:2)
Eight-Ball-Based-On-Cursory-Reading-Of-Literally-Any-Slice-of-Human-History says "no".
What do you say, and why is it also "no"?
Re: Will we finally learn our lesson? (Score:2)
True. Capitalism works best if the profits are for you and the costs for your customers or workers. But that's why we have compliance with penalties. The EU is increasing the number of compliance regulations for this every year. With good reason.
But the first rule should be: don't store data you don't need for your business process. Treat data as toxic waste: less is more.
Re: (Score:2)
True. Capitalism works best if the profits are for you and the costs for your customers or workers. But that's why we have compliance with penalties. The EU is increasing the number of compliance regulations for this every year. With good reason.
But the first rule should be: don't store data you don't need for your business process. Treat data as toxic waste: less is more.
Seems that the EU has their own share of data breaches. https://www.upguard.com/blog/b... [upguard.com].
Anyhow, Have the shakers and movers in the EU tried reaching out to teach Korea a better way?
just don't keep data (Score:1)
There is data necessary to do your business and there is data gathered and kept that isn't.
Not sure when companies are going to learn to resist gathering and keeping more than they absolutely need.
If you gather it, you have to protect it and that just doesn't seem possible.
Fines are not a deterrent and legal accountability is unlikely. Not sure the fix here.
But is this Korean company more evil than Amazon? (Score:2)
Fishing for Funny in the dark. Pretty sure I didn't get there, but also expressing my disappointment than no one else got there first.
Getting away from funny, but 'modern capitalism' is supposed to be based on a kind of adversarial model. The companies want to sell us as much stuff as possible with the highest profits, while we are supposed to be trying to find the best values to force the companies to offer better products at lower prices. But the powers are not balanced in this 'game'. Individuals are ac