NH needs to explain itself

We are dumbfounded by the porous electronic banking management systems of Nonghyup, Korea’s fourth-largest retail bank, with 30 million customers. The Financial Supervisory Service’s latest investigation found that among the NH’s 686 identification numbers, which allow major servers and databases access to its control system, there were several passwords particularly vulnerable to hacking. For example, NH has been using simple passwords like “1” or “000.”

As it turns out, the bank was using the very passwords it had not allowed its customers to use. In some cases, the bank didn’t change some passwords for seven years, ignoring a FSS regulation that says banking companies should change them every three months. It was also revealed that even when it did change passwords, NH opted to add only one- or two-digit numbers to them.

NH also continued to use a temporary password provided by a contractor that installed software in NH’s computer networks. The FSS stipulates that banking institutions as well as their customers use passwords that are longer than six digits, and NH mandates passwords combining more than eight English characters and numbers. But these guidelines were ignored.

A politician argued that NH had attempted to cover up the hacking incident, which resulted in a leak of its customers’ private information. Kang Suk-ho, a lawmaker with the ruling Grand National Party, said that the bank’s IT headquarters didn’t report the incident to the police even after arresting the hacker in 2008. If the lawmaker’s words are true, it means the bank attempted to silence the offender by giving him money.

And that amounts to rewarding, not punishing, a criminal for his crime. If this is really what happened to the bank, it has no excuse for the breakdown of its electronic banking system. No matter how hard the bank shouted for internal reform, the latest fiasco vividly shows it has failed to revamp its bureaucratic image.

Prosecutors investigating the NH crisis mentioned Wednesday the possibility that a highly-trained hacker group committed the crime. Yet the bank has consistently been saying there is no such possibility at all. Whenever an accident occurs, the prosecution has to investigate it by leaving the door wide open to any possible scenarios. Choi Won-byeong, the bank’s CEO, must explain why it continues to deny the possibility that someone could have hacked into the bank’s system.