Vulnerability of Internet Security

The series of cases involving breach of personal information over the past few years has caused much concern and anger. This can be traced back to as early as 2008, during which the Korea’s top online auction site Auction had a massive personal data breach of approximately 10 million people, which accounts for 60% of its users; and GS Caltex had a data leak of more than 11 million customers. Similar cases followed in 2010: 20 million customers of Shinsegae Mall had their information security compromised; critical information, such as passwords and credit card ratings, of Hyundai Capital were stolen.
 
In 2011, SK Communications, which operates the country’s most popular social networking site such as Cyworld and Nate, had more than 35 million users’ information stolen by hackers. This was one of the greatest data breach in history, as Cyworld is the biggest social networking site with 25 million users - more than half of the South Korean population. Almost all of the customers’ personal information have been leaked through this incident. Investigations revealed that the hackers accessed the system using an Internet protocol (IP) address based in China and stole information such as names, usernames, passwords, email addresses, phone numbers, and social security numbers. As a result, SK Communications was ordered to pay 200,000 Korean Won to each of the 2,882 plaintiffs in a class action lawsuit. This was the first decree that held companies responsible for the breach of customer’s information. Before this case, the authorities have been quite generous on businesses, sympathizing with their arguments that hacking is uncontrollable.
 
▲ Executives from the financial corporation apologized | Financial Today
In 2012, KT, Korea’s second largest mobile carrier, went through similar problems when the personal information of about 8.7 million mobile phone subscribers were stolen by cyber criminals, who then sold the information to telemarketers. The firm pledged to enhance its online security system. However, KT angered many customers yet again when the second data breach occurred last year. This time, data of 12 million customers were stolen by two hackers and a telemarketing firm. The company was heavily criticized for failing to keep its promise and for discovering the leak too late - the hackers had been stealing data since February 2013. Many individual customers are preparing for a class action lawsuit by creating an online community for victims.
 
It is estimated that KT will be fined up to 100 million Korean Won for the data leak, but many consumer groups argue that more rigorous punishments must be imposed. Despite the massive leakage, government can only impose fines due to the country’s telecommunications law, which states that a telecommunications firm can be put under business suspension only when it profits by using consumers’ information. Consumers have argued that the government should revise the laws, as data leakage through mobile carriers are equally as detrimental as the ones through financial firms.
 
In 2013, Standard Chartered Bank Korea and Citibank Korea, two banks under foreign control, failed to protect the data of 130,000 customers. The stolen information led to financial damages as some Citibank clients were scammed by a voice phishing ring. According to police, data of 2,000 customers were abused by the ring.
 
In January, personal information of more than 20 million customers from KB Kookmin, NH Nonghyup, and Lotte Card were leaked. It turned out that an official from the Korea Credit Bureau (KCB), a credit-evaluation firm for financial corporations, stripped the customer information from these three companies and sold it to an advertiser. In order to tackle and prevent the problem of data breach, the National Assembly processed bills that reinforce data protection. The government fined the companies and placed them under a three-month business suspension. Top executives of the three companies decided to resign to take full responsibility for the data breach and pledged to compensate the victims.
 

The massive data leak scandals shed light on the carelessness of corporations in dealing with personal information security. A government survey revealed that only 1.3% of companies have sectors designed specifically for information security, while 95.9% do not even have a set budget for information security. Financial Services Commission and the Korea Communications Commission expressed their plans to apply stricter sanctions, which includes a fine of 3% of the company’s sales for any information breach. However, many customer groups still voice their concern and anguish, arguing that stronger punitive measures must be taken to prevent further damage in the future. 

Copyright © The KAIST Herald Unauthorized reproduction, redistribution prohibited