In January, the whole country was noisy with the news of 104 million people’s personal information leaking from three major credit card companies. This recent incident left a lot of people in fear of fraud and consequent financial loss as it was the biggest information leak in history. However, it is not so surprising because it has been happening so frequently during the last few years. By now, it almost makes one curious why the companies let such things happen and why our government has not done much for prevention.
For the most recent information leak, the story goes that a vice-director at the Korea Credit Bureau (KCB) collected the personal information while developing a computerization service requested by Kookmin Bank (KB), Lotte, and Nonghyup (NH) Card companies. Although the prosecutors recently arrested the KCB vice-director in December 2013, it is said that the information hoarding has been committed over the course of a year, starting from the end of 2012.
▲ The Presidents of NH, Lotte and KB card companies are apologizing for the informationleakage at a press conference. Provided by newstomato.com
As mentioned, there are numerous precedents for this kind of crime. In January 2008, one of the biggest online-shopping websites, Auction, was hacked and 18.6 million people’s personal information was leaked. In 2011, the information of 1.7 million customers of Hyundai Capital in May and 35 million from the social networking website Nate were hacked in July. The record continues in 2012 with about 40 million from the Educational Broadcasting System (EBS), and 87 million from Korea Telecom (KT) in May and July, respectively.
“This stolen personal information,” according to Professor Lee Kyung Ho (Information Security), “is generally utilized in service industries that have their business based on personal information. The information is used in various legal customermarketing industries and even for cybercrimes such as internet fraud, smishing and voice phishing.” Not only is the stolen information used for illegal activities, it is also bought and used by legitimate companies.
In the recent incident, the primary buyer for the robbed information was a CEO of an advertisement agency, and the KCB vice-director was paid more than 10 million won. “The reality is, the more directly linked the utilization of personal information is to the company’s profit increase, the more desire the company will show in acquiring this personal information, despite the illegality,” added Professor Lee.
One of the important things to note when it comes to the danger of continuous mass information leakage in Korea, is that the resident registration number is almost always included in the target list. With Korea’s population of 51 million and looking at the leakage so far, it could be said that almost everyone’s resident registration number has been exposed. “It is easy, once knowing the resident registration number and some basic information, to register for services such as banking, mobile phones, and credit cards, especially when non-face-to-face transactions are flourishing in Korea’s cyberspace nowadays,” said Professor Lee. The number cannot ever be changed after being given to a person, so once it is leaked, it is forever under the danger of misuse.
▲ A lot of information, including the resident registration number, is often required byfinancial institutions. Photographed by Kim Jung Ik
Since its implementation in 1975, the resident registration number has grown in its usage, as the most basic mechanism to identify oneself, but with such mass leakage it is questionable whether it can serve its purpose anymore. Recently, the problem with the unchangeable resident registration numbers has been officially brought to the surface, especially with President Park’s orders on January 27 to refer to other countries’ examples for alternative ways of personal identification.
Knowing the amplified dangers that arise when Korea’s personal identification system meets information leakages, it is curious why companies in Korea let them happen. Most companies, including financial institutions, take just enough efforts to meet the minimum requirements for information security because the board of directors does not feel the need to give a huge investment in something that is highly unlikely to happen. The security official within the institution takes responsibility when leakages happen but he is mostly limited when it comes to developing countermeasures. “It goes as far as bringing about misunderstandings if the security official was to propose a higher level of investment than what the regulating institute’s guide says,” commented Professor Lee.
The fact that financial companies are often not subjected to fines also diminishes their concern for information security. The maximum that can be fined to a financial company in case of an information leakage in Korea is six million won by law, aside from the obvious indemnities for victims. In the United States (U.S.), the responsible company in such an incident is imposed with punitive damages as much as the original damage, and in harsher cases, as much as three times. For example, ChoicePoint, a credit information company in the U.S., was fined 15 million dollars by the Federal Trade Commission (FTC) for a security breach in 2006.
The Federal Services Commission proposed punitive fines as a measure to prevent further leakages in January and added that any organizations discovered to be using personal information that is illegally acquired should also be subjected to fines. However, the estimated fines are very high for the latter but not for the company responsible, so it is questionable whether this proposal can be effectively enforced to increase investment in information security.
After Korea’s biggest personal information leakage incident, it seems that the companies, politicians, and government alike are doing their best to keep the situation under control. Various measures are being discussed to prevent such incidents but something important seems to have been excluded. There are not any explicit plans to help the victims of the situation. Company presidents are busy apologizing at press interviews, but when discussing compensations, they are determined to make their monetary loss as small as possible. From what the three companies proposed so far, if the leaked information gets used for smishing or voice phishing and ends up costing the victim financial damage, the company will not take any responsibility.
In a country where there is only one standardized method of personal identification, any information leak is destined to be much more critical. Despite this fact, our law did not help much to prevent further incidents and as a consequence, leakages have been happening very frequently so far. Going through numerous leakages did not help in establishing proper procedures for helping the victims either. It is time for the government to step forward and firmly construct a system to prevent these incidents, once and for all.