Data stolen from more than 100M cardholders

From left, Nonghyup Card CEO Sohn Kyung-shik, KB Card CEO Shim Jae-oh and Lotte Card CEO Park Sang-hoon apologize to the public at the Korea Chamber of Commerce and Industry in downtown Seoul yesterday. [NEWS1]

The Changwon District Prosecutors’ Office yesterday indicted a Korea Credit Bureau employee for selling personal information belonging to more than 100 million customers of three major credit card companies.

Prosecutors said the employee of the private credit rating agency collected names, mobile phone numbers, workplaces and addresses of more than 100 million customers of KB Card, Lotte Card and NH Card while working on upgrading anti-counterfeiting systems for the companies.

He allegedly sold the information to credit companies and marketers, the prosecutors said.

KCB has also been upgrading of the systems of Shinhan Card and Samsung Card, but information about their customers was not collected because it was sufficiently encrypted, according to the companies.

According to the prosecutors, information was leaked about more than 53 million customers of KB Card; 26 million customers of Lotte Card; and 25 million customers of NH Card.

Additional victims may be found as the investigation continues, prosecutors said. Prosecutors believe the leaked information has been kept from being spread any further.

The CEOs of KCB, KB Card, Lotte Card and NH Card made a public apology at a joint press conference held in central Seoul yesterday.

“Owing to a swift initial investigation, there will be no further leakage of the collected information,” said Kim Sang-duk, CEO of KCB.

“Through this incident, KCB learned the importance of constant and enhanced education on ethics and information security for employees,” he continued.

The CEOs of the three card companies declined to comment on whether their data was safely encrypted.

Under revisions of the personal information law last year, CEOs of financial companies that have been negligent in protecting personal information of customers can be punished if found responsible.

The indictment came at a time of increased concerns about security at local financial institutions. In the past five years, there have been a number of cases in which the personal information of consumers has been accessed or compromised.

Before the latest case, the total number of victims was about 2.46 million.

The latest incident was the leakage of personal information of 34,000 customers of Citibank last April. The largest incident was the stealing of 1.75 million people’s information from Hyundai Capital by hackers in April 2011.

The country’s financial regulator has been working to tighten security at financial institutions by advising them to implement more encoded programs and imposing tougher penalties for leaks.

The Financial Supervisory Service will conduct an inspection of the three card companies and their customer information management systems by the end of January.

By Song su-hyun [ssh@joongang.co.kr]