It was the largest data theft ever in South Korea. Affecting 40% of people in the country, the details of customers at three card companies was stolen by a contractor and sold on. Billy Bambrough examines the scale of the theft and the impact of the punishment dished out by the regulator
Data leaks are becoming a common annoyance for card companies; not to mention any other companies that stores peoples data, which is pretty much all of them these days.
Go deeper with GlobalData
Barely a day passes without the announcement from a financial services company that it has lost peoples sensitive data.
The largest and most costly so far was the Target data breach over the last couple of months of 2013, with costs related to the theft now exceeding $200m for financial institutions, according to data collected by the Consumer Bankers Association and the Credit Union National Association. The threat of law suits against Target is now on the table, and you can bet that Target has begun to take card security a whole lot more seriously.
In South Korea last month an employee from personal credit ratings firm Korea Credit Bureau (KCB) has been arrested and accused of stealing the data from customers of three credit card firms while working for them as a temporary consultant.
The data stolen from KB Kookmin Card, Lotte Card and NH Nonghyup Card included names, social security numbers, phone numbers, e-mail addresses, credit card numbers and expiration dates.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataAlthough not unheard of, data breaches by employees are certainly far less common than attacks coming from outside of the company.
Francesco Burelli, industry expert and partner at Value Partners told CI: "While the typical perpetrators act from outside the company (e.g. through hacking), employer or supplier disloyalty is a rare occurrence in an industry in which tight security standards are enforced upstream throughout the value chain by issuers and acquirers, in addition to the industry-wide compliance obligations -e.g. PCI/DSS-.
"This type of data leak is infrequent but even so at this scale and there is no particular reason to suspect that this will become more frequent in the future."
"This does not diminish the seriousness of the accident and of the fact that companies, throughout the value-chain, should pay more attention to ensure that data sensitive information is protected from outside as well as in-house threats."
Burelli does cut the South Korean companies a little slack though, arguing that if employees are willing to break the law then there is often little the company can do to stop them.
Burelli says: "It should be noted that in all cases no procedure will ever be completely safe, albeit the risk will always be small. Ultimately standards and policies should be revised and improved on periodically to minimise risks."
For South Korea though this is worse news than for many other companies due to the investment the country has put into non-cash payments.
"This case is large scale as it practically affects about 40% of the population of Korea, a country that has leveraged and enforced electronic payments throughout the economic system to combat tax evasion, enforce supervision, to boost internal consumption and gain overall payment efficiencies. Koreans hold about four cards in each wallet and the scale of the accident is significant."
The fine leveraged against the companies did succeed in turning heads, although possibly for the wrong reasons. KB Kookmin Bank, Lotte Card and NH Nonghyup Card have each been fined just SKW6m ($5,600) although this comes with a ban from issuing new credit cards for three months, the effects of which we will see in the companies next financial reports.
Burelli explains: "It is difficult to make a statement on the size of the fine without being familiar with the Korean legislation. The regulatory probe is being widened as the financial services regulator began probing operations at Kookmin Bank, the nation’s largest lender, in relation to information breaches at the card unit.
"It ordered 14 other financial firms to examine possible data theft, without disclosing the names of the institutions.
"The three months ban to issue new cards and loans applied to KB Financial Group, NongHyup Financial Group and retailer Lotte Group in reality is quite a punishment in its own right in business terms but, ultimately, the bigger damage is the one deriving from consumers’ loss of trust in brands and products."
Previous South Korea data breaches
In 2012, two South Korean hackers were arrested for data from 8.7m customers at the nation’s second-biggest mobile operator.
In November 2011, Seoul’s top games developer Nexon also saw the personal information of 13m users of its popular online game MapleStory stolen by hackers.
In July the same year, personal data from 35m users of Cyworld — the South’s social networking site — was also stolen by hackers.
