Personal data leaks snowball to 104 million

Choi Jong-ku, chief vice governor of the Financial Supervisory Service, holds a press briefing yesterday at the financial regulator’s headquarters in Yeouido-dong, western Seoul, to describe the leaks. [NEWSIS]

The leaks of personal information from credit card companies were much worse than previously thought and victims include CEOs of financial companies and the heads of the local financial watchdogs.

The Financial Supervisory Service convened a hastily arranged press conference at which it admitted, aside from the credit card companies, many of the country’s major commercial banks and financial institutions were affected by the leaks, too.

The FSS tried to calm the situation by saying that no fraud has been detected as a result of the leaks. But banks and financial companies were reportedly bracing for a wave of complaints and account terminations by customers.

Later yesterday, the FSS issued a warning to the public to be suspicious of any calls supposedly coming from financial companies, saying fraudsters might take advantage of the bad publicity about the leaks to cheat people.

“I can’t believe so much information has been leaked and yet the card companies are closed for the weekend despite such an urgent situation,” a public servant posted on an online bulletin board.

Panic started to mount Saturday morning when the three credit card companies - KB Kookmin Card, Lotte Card and NH Card - started offering a service through which the public could check whether their personal information had been compromised.

Many customers learned that more information was leaked than they previously believed, including names, resident registration numbers, home addresses, phone numbers and even credit limits.

High-level government officials had their accounts compromised, including Shin Je-yoon, chairman of the Financial Services Commission, and Choi Soo-hyun, governor of the FSS.

CEOs and politicians lost personal information. Local media reports claimed that personal data on President Park Geun-hye and UN Secretary General Ban Ki-moon was leaked too.

Rumors started to spread through the Internet that with access to detailed credit card information, other people could charge purchases on innocent victims’ cards.

Information was leaked not only on current card holders but also people who canceled their cards. In the case of Lotte, information was leaked on customers who had died.

By law, credit card companies can hold information about former customers for up to five years and information on customers who have died can be held for as long as 10 years.

The FSS said KB Bank, the country’s largest bank, was also victimized. The leaks of information of KB Card holders also affected customers of Kookmin Bank and other KB affiliates who don’t have a KB Card.

By law, an affiliate credit card company of a banking group is allowed to have access to the bank’s customer information.

The FSS and the Changwon District Prosecutors’ Office confirmed that 17 kinds of information was leaked, elevating the risks of phishings and financial frauds.

This included vital information such as credit card numbers, expiration dates, credit limits and customers’ annual incomes. Fortunately, the credit cards’ CVC (card verification code) numbers were not leaked.

The prosecutors’ office found that a 39-year-old employee of the Korea Credit Bureau, an independent credit rating firm, illegally leaked about 104 million pieces of cardholders’ personal and financial information to people marketing bank loans, the FSS explained at the briefing.

The KCB employee and the information buyers were indicted on Jan. 8. The employee carried the information via USB flash drives.

NH and Lotte Card users who linked their credit cards to NH Nonghyup Bank and other banks - including Shinhan Bank, Hana Bank and Woori Bank - had their information leaked. The victims in the banking sector alone are estimated at up to 10 million.

The FSS reported that the total number of victims are estimated at 104 million - 53 million for KB Card, followed by Lotte Card’s 26 million and NH Card’s 25 million.

The financial authority warned the public to beware of any calls or messages that claim to be from government agencies, financial authorities or financial companies.

They said the public should not click on any links they receive by messages or emails, which could plant malware on their phones or computers.

The malware can give fraudsters access to more information on the device or computer.

The FSS said consumers should be wary of calls or messages from any telephone number except for the numbers designated by the financial companies, which are KB Kookmin Card’s 1588-1688 and Lotte Card’s 1588-8100. NH Nonghyup Bank said it does not text or make phone calls for information from customers.

There has been no significant damage reported so far aside from small bank transactions and phishing activities.

But the public was worried and getting angry over the leaks.

Some customers threatened legal action against the companies.

A lawyer in Gangnam District, southern Seoul, is assembling angry card holders by asking them to pay 9,900 won, or $9.32, each for a legal battle. He is planning to take 20 percent of any settlement.

In early December, the Changwon District Prosecutors’ Office announced there were leaks of customer information from Citibank and Standard Chartered Bank. About 137,000 pieces of information from the banks were sold to companies marketing loans.

The financial regulator requested 16 financial companies with a risk of information leaks to conduct internal inspections in late December. The inspections found that about 1.27 million pieces of information were illegally leaked, affecting about 650,000 victims - 240,000 from regular commercial banks, 2,000 from savings banks and 110,000 from loan companies.

BY LEE HO-JEONG, KIM JI-YOON [jiyoon.kim@joongang.co.kr]