Investigation into Coupang Customer Data Leak Finds No Evidence of External Transfer

The government has released the results of a public-private investigation into Coupang’s personal data leak, but critics say the probe exposed its own limits by failing to reach a clear conclusion on the key question of whether data was "transferred externally." Because investigators also found no evidence that the attacker actually sent customer information outside the company, many observers say the outcome does not differ significantly from Coupang’s earlier internal findings.
The Public-Private Joint Investigation Team led by the Ministry of Science and ICT announced on the 10th that it had completed its review of the Coupang incident. The team stated, "We confirmed that the attacker had a function that could transfer leaked information to a cloud server located overseas, but we cannot verify whether any data was actually transmitted because no related logs remain."
The team conducted forensic analysis on storage devices from the attacker’s PCs submitted by Coupang (two hard disk drives and two solid-state drives), as well as on laptops used by current Coupang developers. However, it explained that it found no traces of external transmission to cloud or other external storage in connection with the controversial "storage of 3,000 accounts" outside the company.
Previously, on December 25 last year, Coupang announced the results of its own investigation, saying the attacker had acted alone, stored limited customer information from about 3,000 accounts only on a personal PC and laptop, and did not transfer the data externally. That announcement sparked criticism as a so-called "self-investigation," and raised questions over whether the data might in fact have been stored outside the company.
At a National Assembly hearing at the time, Minister of Science and ICT Bae Kyung-hoon said that the government would investigate all possibilities, including additional leaks and external storage, and he announced the launch of the Public-Private Joint Investigation Team. Nevertheless, the latest announcement still did not confirm whether any external transfer took place.
Some in the industry say, "This investigation result can be interpreted as not being substantially different from Coupang’s previous explanation," while others argue, "This should not be taken as a definitive conclusion that there was no external transfer, but rather as showing that even the government’s investigation failed to secure verifiable evidence of external leakage."
Security experts also point out that, because the government was unable to directly question the attacker, there are inherent limits to determining whether data was transferred externally based solely on forensic analysis. As a result, they note, the investigation still leaves unresolved the crucial question of whether the 33.67 million items of personal data were actually leaked outside the company.
clean@fnnews.com Lee Jeong-hwa Reporter