Heekyong Yang and Hyunjoo Jin report:
South Korean officials blamed a massive data leak last year at Coupang on management failure, rather than a sophisticated cyberattack, and urged the e-commerce giant to fix vulnerabilities in its security systems.
Announcing the first findings of a government-led probe, the Science Ministry said on Tuesday a former Coupang engineer, who was aware of flaws in the authentication process, broke into the system in April, a breach that lasted until November. The same person had attempted to gain access in January, it said.
[…]
“It’s more of a management problem than an advanced attack,” Choi Woo-hyuk, deputy minister for cyber security and network policy, told a press conference, citing lax oversight of authentication systems.
“The attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorised information leaks,” the ministry said.
Read more at Reuters.
Coupang and its investors have been really pushing back against the regulator’s statements and actions, including compensation amounts to victims (see also Related links below).
But how often do we see federal regulators declare that something is not a “sophisticated attack” as is often claimed, but rather, just poor security?