Data security breach in South Korea on an epic scale

February 2, 2014 |

Reports of data breaches are coming thick and fast.  Many instances highlights the need for data security to deal with hackers.  And there are data breaches caused by humans.  Which is what happened in South Korea In Card Sharps the Economist reports on how an IT contractor allegedly stole personal information of around 20 million individuals held in 104 million accounts.  All with the use of a USB Stick.  The soon to be enforceable Australian Privacy Principles make it clear that there needs to be proper data security, both technical but also training, programs and processes involving staff.  Errors or theft by staff, either permanent or contractors, are a major source of problems in maintaining data security.  Organisations after implementing processes fail to properly monitor them.  That leads to increasing laxity.  Passwords are changed less often, they are circulated widely, access to personal information is monitored less frequently and unusual activity is ignored. One of the interviewees in the article  describes the problem in South Korea as “Management Neglect.” In Australia it might be called a quick trip to the Federal Court on a bad day or enforceable undertakings as the best of all results.   The APPs make it clear that compliance is an ongoing obligation.  A real challenge for any organisation is dealing with the “bring your own device” phenomana.  With a USB stick and an obliging port at a desk top in a matter of minutes an organisation can lose huge amounts of data if the the proper processes are not in place, including passwords on access, encryption of personal information and notification mechanisms of access to sensitive information.  T

The article provides:

BOWING in unison before cameras and customers, the heads of three big South Korean credit-card firms—KB Kookmin Card, Lotte Card and NH Nonghyup Card—apologised, then resigned, on January 20th. Over 20 executives followed.

The synchronised hand-wringing was over one of Korea’s largest-ever thefts of customer data. On January 8th prosecutors arrested an IT contractor for stealing the personal information of around 20m credit-card holders—more than half the working-age population. While working for the Korea Credit Bureau, which evaluates risk for the three card companies, he is said to have transferred details from 104m accounts onto a USB stick over a year, from May 2012. The managers of two marketing companies have been charged with buying the stolen records.

The government has set up a taskforce to “overhaul” the current data-protection rules and to toughen penalties. In the meantime it wants the three firms to be barred from signing up new customers for three months. It has also assured cardholders that no illicit payments have been reported since the first leak six months ago. The 18 types of stolen data—card numbers, expiry dates, e-mail addresses and salaries among them—did not include PIN or card-verification codes, leaving only a “slim” chance for misuse. Still, 2.6m requests to reissue or cancel cards were made in three days. The three firms have promised compensation. Nonetheless, on January 20th, 130 victims sued them. Lawyers say proving damage will be tricky.

South Korea is no stranger to data theft. In 2011 the personal information of 35m Koreans was stolen from Cyworld, then the country’s most popular social network. Details about millions of users have also been plundered from an online shop, a games developer and a mobile-phone operator.

The scale of this latest incident has revealed the financial sector’s vulnerability. Information was stripped from closed accounts (financial firms can hold on to it for up to five years), as well as from failed card applications. Oh Hee-kuk, head of the Korea Institute of Information Security & Cryptology, says “management neglect” is the biggest problem. In 2012 a law was passed requiring the encryption of most companies’ databases, yet the filched data were not encoded. The contractor should never have been given access to customer records, he says; dummy data would have sufficed. Many Korean firms do not allow USB sticks into their premises; some remove USB ports and disc drives from their computers altogether. None of the three companies noticed the theft.

Lax data management is a worry in the world’s most plastic-happy country (there are roughly five credit cards for every Korean). Encouraged by the government a decade ago as a way to limit tax evasion, credit cards account for over half of all consumer spending. They are already losing ground to debit cards, which now receive bigger tax breaks. For some, the perks that come with many credit cards, such as free concierge services, cosmetics and air-miles, make keeping a wallet-full worthwhile. But continued security breaches may prompt others to question the national passion for plastic.

This incident again highlights the fundamental need for mandatory data breach notification legislation.


Leave a Reply