Coupang, Inc. claims ‘2,609 front-door access codes were accessed, but omitted from government report’

Coupang, Inc., the parent company of Coupang, publicly challenged on the 10th the findings of a public-private joint investigation, which concluded that an attacker who leaked personal data had viewed some 150 million records of delivery addresses and related information. The company argued that key details were omitted from the report.
In a statement issued the previous afternoon, Coupang, Inc. said, "The report by the Public-Private Joint Investigation Team states that the former employee who leaked the information carried out 50,000 lookups of shared front-door access codes, but it omits the verified finding that these lookups were in fact limited to access involving 2,609 accounts."
Earlier that day, the Ministry of Science and ICT announced at Government Complex Seoul that, according to the results of the public-private joint investigation into the Coupang breach, the volume of personal information leaked by the former employee exceeded 33 million records, and the number of delivery addresses and related data the perpetrator viewed reached 150 million.
The joint investigation team said that the precise scale of the personal data leak would be finalized by the Personal Information Protection Commission (PIPC). However, it highlighted roughly 140 million "lookups" and stressed that "a lookup constitutes a leak."
Responding to this, Coupang, Inc. stated, "The Public-Private Joint Investigation Team and the Personal Information Protection Commission (PIPC) also have forensic analysis results confirming that no personal data of Korean users was stored on the recovered device." The company added, "All forensic evidence is fully consistent with the sworn confession of the former employee, who stated that they had stored user data from about 3,000 accounts and then deleted it." In other words, Coupang maintains that its own earlier finding of "data from 3,000 user accounts being stored" remains unchanged.
On the possibility of secondary damage, the company said, "No evidence of any secondary harm resulting from the Coupang personal data incident has been identified," adding, "This is based on the latest analysis by independent security firm CNS."
It went on to emphasize, "Multiple independent internet security companies are monitoring the Dark Web, the Deep Web, Telegram, Chinese messenger platforms, and other channels, and they are providing Coupang with their findings on a weekly basis."
The joint investigation team also stated at its briefing that no secondary damage linked to the Coupang data leak has been confirmed so far.
clean@fnnews.com Lee Jeong-hwa Reporter