South Korea punishes three credit card firms over data heist

library
crime | hacking | security

South Korean regulators have fined three credit card companies and banned them from issuing new credit cards for three months in the wake of the country’s largest-ever data theft last month.

The heist turned out to be an inside job, traced back to one IT guy inside a credit bureau and some dodgy data buyers, all of whom were arrested.

Financial data on at least 20 million people – more than 40% of the country’s population – was stolen and sold to marketing firms.

The theft was traced back to an IT contractor working for a company called the Korea Credit Bureau, which produces credit scores.

The worker purportedly copied the massive trove of data onto a USB stick.

He was arrested along with two managers at the marketing firms who were allegedly willing buyers of the data.

Early reports pointed to the contractor, an engineer, being able to get his hands on the data courtesy of Korea Credit Bureau’s access to databases run by three big South Korean credit card firms.

Those credit card companies – KB Financial Group, NongHyup Financial Group and retailer Lotte Group – will each be fined 6 million Korean won ($5,658).

The BBC reports that South Korea’s Financial Supervisory Commission (FSC) said that the three firms had “neglected their legal duties of preventing any leakage of customer information”.

The credit card companies will also be banned from issuing new credit cards for three months, until 16 May 2014.

The chiefs of the credit card firms have publicly apologised for the leaks.

Some executives at NongHyup and KB Financial have resigned, while others at the three companies have offered their resignations.

According to the Wall Street Journal, all three companies said they would try to minimise inconvenience to customers.

Thousands of those customers, roaring mad, swamped branches of the three firms last month, demanding to have their cards cancelled or to have new ones issued, the BBC reports.

The WSJ reports that, pending the completion of investigations, the commission might seek further punishment for company executives and might also seek to double the credit firms’ suspensions to six months for future cases.