The former employee behind the recent Coupang data breach tried to cover his tracks by smashing his MacBook Air and throwing it into a river, the company revealed in a recent update on the incident.
The alleged perpetrator panicked when news outlets reported on the Coupang breach, the December 25 update said. “Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river,” the update said.
Using maps and descriptions from the former employee, divers were able to recover the laptop from the river. “It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account,” Coupang said.
Coupang has since updated the post twice, once to reassure customers that the company was cooperating fully with the government in its investigation, and the second time to announce a “customer compensation plan to restore customer trust” with vouchers worth about USD $35 (50,000 won) per customer.
Coupang Breach Smaller than Feared
Much of the update sought to reassure customers of the Korean online retailer that the breach was smaller than initially feared.
While initial reports said the breach – which led to the CEO’s resignation – might have compromised the data of more than 33 million, Coupang said its investigation indicates that while the perpetrator may have accessed 33 million accounts, he “retained limited user data from only 3,000 accounts and subsequently deleted the user data.”
The user data included 2,609 building entrance codes, but no payment, log-in data or individual customs numbers were accessed, and the perpetrator never transferred any of the data to third parties, the company said.
Coupang said it conducted its investigation with Mandiant, Palo Alto Networks and Ernst & Young.
Perpetrator ‘Confessed Everything’
Coupang said it used “digital fingerprints” and other forensic evidence to identify the former employee allegedly responsible for the breach. “The perpetrator confessed everything and revealed precise details about how he accessed user data,” the company said.
The former employee used “an internal security key that he took while still working at the company” to access “basic user data” from more than 33 million customer accounts. He retained user data (name, email, phone number, address and partial order histories) from about 3,000 accounts, plus 2,609 building entrance access codes.
The Coupang statement notes repeatedly that the alleged perpetrator’s story is supported by the available forensic evidence, likely to reassure customers that the breach wasn’t as bad as initially feared. The statement frequently uses phrases such as “exactly as the perpetrator described” to underscore that the forensic evidence supports the former employee’s claims.
“The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements,” the company says in another section.
“The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data,” the Coupang statement said. “Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described.”
The perpetrator also turned over the PC system and four hard drives from the system, “on which analysts found the script used to carry out the attack,” the company said.