Marketers, IT contractor arrested in theft of 20 million South Korean credit cards

library
crime | hacking | security

At least 40% of South Korea’s entire population – some 20 million people – have had their names, social security numbers and credit card details ripped off and sold to marketing firms in the nation’s biggest-ever theft of personal information.

It’s looking like an inside job.

The theft has been traced back to an IT contractor working for a company called the Korea Credit Bureau, which produces credit scores, the BBC reports.

The worker purportedly copied the massive trove of data onto a USB stick.

He’s been arrested, along with two managers at the marketing firms who were allegedly willing buyers of the data.

According to the BBC, early reports point to the contractor, an engineer, being able to get his hands on the data courtesy of Korea Credit Bureau’s access to databases run by three big South Korean credit card firms.

The Wall Street Journal reports that the chiefs of those credit card firms – KB Kookmin Card, Lotte Card, and NH Nonghyup Card – have publicly apologised for the leaks.

Prosecutors earlier this month alleged that the engineer stole the data between May 2012 and December, according to the WSJ.

Executives at the credit card companies have offered to resign.

One of those resignations – that of the head of NongHyup’s card business, Sohn Kyoung-ik – was immediately accepted, while resignations at the other companies are pending decisions from a company board or chairman.

Although the personal information was leaked, it hasn’t yet been distributed, Financial Services Commission Chairman Shin Je-yoon told reporters on Monday.

The card issuers said that customers wouldn’t be responsible for any future fraudulent charges.

An official at Korea’s national financial regulator, the Financial Services Commission, said that the data was easy to steal, given that it was unencrypted and that the credit card issuers didn’t know it had been copied until investigators told them about the theft, the BBC reports.

No encryption? Yikes!

As far as insider jobs go, this one’s pretty bad if the engineer turns out to be guilty of the crimes with which he’s charged.

The data should have been encrypted, and those trusted with handling it should have been a lot more deserving of that trust.

Deep sympathy to the 20 million Koreans targeted because of the security lapses involved in this debacle.

You’d think we’d have learned by now, in the wake of the Bradley/Chelsea Manning “Wikileaks” saga of 2010, in which decades of confidential US State Department cables were siphoned off…

…without anyone noticing that one person had been drawing down unfeasibly large tranches of data onto removable media.

(If you haven’t thought about a Data Loss Prevention Strategy yet, now might be an excellent time to do so!)

Here’s a sadly-still-relevant podcast from the Wikileaks incident, looking at the question, “How could this have happened?”