Breach At South Korea's Equivalent of Amazon Exposed Data of Almost Every Adult (wsj.com)
- Reference: 0180402845
- News link: https://yro.slashdot.org/story/25/12/17/009254/breach-at-south-koreas-equivalent-of-amazon-exposed-data-of-almost-every-adult
- Source link: https://www.wsj.com/world/asia/breach-at-south-koreas-equivalent-of-amazon-exposed-data-of-almost-every-adult-ba8d9ebd
> The alleged perpetrator had [1]improper access to virtually every South Korean adult's personal information : names, phone numbers and even the keycode to enter residential buildings. It was one of the biggest data breaches of recent years and it has sent the company it targeted -- Coupang, South Korea's equivalent of Amazon -- reeling, generating lawsuits, government investigation and calls to toughen penalties against such leaks. The leak went undetected for nearly five months, hitting Coupang's radar on Nov. 18 only after a customer flagged suspicious activity.
>
> At first, Coupang, which was founded by a Korean-American entrepreneur, said it had experienced a data "exposure" affecting roughly 4,500 customer accounts. But within days, the e-commerce firm revised the figure: The leak exposed up to roughly 34 million user accounts in South Korea -- a sum representing more than 90% of the country's working-age population. Coupang started calling the incident a "leak" after Korean regulators took issue with the company's prior word choice. "The Whole Nation Is a Victim," read one local news headline.
>
> An investigation has found that the alleged perpetrator had once worked in South Korea as a software developer for authentication systems at Coupang, which is known for its blockbuster U.S. initial public offering a few years ago. The suspected leaker is believed to be a Chinese national who has moved back to China and is now on the lam, South Korean officials say. They haven't named the person. Even after leaving the firm roughly a year ago, the suspect secretly held on to an internal authentication key that granted him unfettered access to the personal information of Coupang users, South Korean authorities and lawmakers say. The infiltration, using overseas servers, started on June 24. By using the login credentials, the suspect was able to appear as if he were still a Coupang employee when accessing the company's systems.
[1] https://www.wsj.com/world/asia/breach-at-south-koreas-equivalent-of-amazon-exposed-data-of-almost-every-adult-ba8d9ebd
Keep some data near-line (Score:1)
Things like building-access-codes don't need to be kept on a "live" database. If a customer places an order, the key-access-code for that specific customer can be copied from nearline storage to "live" storage well before delivery, then deleted after delivery is complete.
This way, if the "live" database is completely compromised, only the relatively-few customers who have pending or very-recently-delivered items will have their key-access-code data stolen.
A similar principle can apply to the customer's con
yes, I know that this is a different problem (Score:1)
The problem in this case was a stolen credential that was left usable for an extended period of time. Near-line storage alone would've only been a small "bump in the road" for this particular leak, assuming the person knew enough to ask for all the data to be loaded from near-line storage before stealing it.
Re: (Score:2)
Not seeing how this would help, if the bad actor had unlimited employee access. He could simply download any information he wanted. The only solution that I see is not to store the information at all. Require it to be entered every time and do not keep it anywhere.
Wrong solution. (Score:2)
Trying to increase penalties is incredibly stupid. That only makes things worse. Let me be clear There is NO way to stop this kind of breach from happening again.
The problem is that morons believe they will never be robbed. There is no one with perfect security. The more valuable your data, the more likely it WILL be broken into. Every security professional or database designer (AND their bosses) should be required to sign a statement that says this every year.
AI will only make it worse as bad actors /
Re: (Score:2)
Increasing penalties will just create more people who had no active ability to change stuff, but are left to hang out to dry as a sacrifice. Stuff will still go on.