With lax security and laws, a flood of leaks
Following the news last week in the United States that Target and six other retailers had been hacked and their customers’ information was stolen, Koreans are outraged by massive personal information leaks triggered by a system management employee, who is suspected of exposing up to 20 pieces of information for each of more than 50 million people who use KB Kookmin Card, Lotte Card and NH Nonghyup Card.
Korea can be more vulnerable to information leaks than other countries, since it has the world’s largest wireless networks and the highest smartphone penetration.
According to Data Loss DB statistics, a respected information security website, the number of data loss incidents worldwide jumped from 157 in 2005 to 1,392 last year. In 2012, there were 1,631.
“It is natural to see more incidents involving data leaks these days because collecting data, the so-called big data, is considered power,” says Lee Kyung-ho, a professor at the Graduate School of Information Security at Korea University and a chief information security officer (CISO) at Naver. “The foremost reason why companies share customer information is to maximize their profits.”
The latest data leak may be the world’s largest ever, says Lee. “We assume not only basic personal identities, but also credit and financial transaction information of almost all Koreans have been exposed,” Lee said.
In the United States, Target and other retailers last week said they believed they had been hit by hacking attacks that resulted in massive consumer data leaks, according to news reports.
Target has said the theft of customer data may have affected anyone who provided basic information to the retailer over the past several years.
In December, Target said credit and debit card data for as many as 40 million people who shopped in its stores between Nov. 27 and Dec. 15 may have been compromised. Earlier this month, the company said thieves also got access to names, phone numbers and home and email addresses for as many as 70 million people.
Last year, it was found that Facebook had inadvertently exposed 6 million users’ phone numbers and email addresses to unauthorized users since 2012.
Facebook said the data leaks were inevitable due to a technical glitch in its massive archive of contact information from its 1.1 billion users worldwide.
As a result, Facebook users who downloaded contact data for their list of friends obtained information they were not supposed to have.
In 2011, Sony’s PlayStation Network, an online service that updates open systems for PlayStation, was hacked, and the data of as many as 75 million customers worldwide became vulnerable.
It has turned out that the world’s most wireless country has vulnerable management systems and inadequate laws to protect consumer information.
Experts point out that the current law allows financial companies to share information without customers’ consent.
“In Korea, when we issue new credit cards, companies decide our credit line, which means our financial information is already in the hands of financial institutions regardless of whether we make transactions or not,” Lee says.
Most financial companies aren’t paying attention to information security, either. The financial authority requires companies to have CISOs (chief information security officers), but in reality they are given no authority.
“The CISOs at commercial banks currently have no power to invest in strengthening systems or changing policies because they are subordinate to higher positions that are in charge of information transactions but have no expertise in security,” says Lee.
Local experts also say Korean users are required to reveal their identities more than those in other countries.
“The financial authority is mandatorily collecting personal identities due to the law,” says a research fellow at the Center for Information Security Technologies at Korea University.
In response, the Ministry of Security and Public Administration announced yesterday that since August, public and private institutions have not been able to collect resident registration numbers unless there is a plausible legal reason.
Registration numbers already held by companies must be erased by Aug. 6, 2016.
Those who cause leaks of registration numbers will face maximum fines of 500 million won ($470,000).
According to the government, of the 320,000 local websites, 92.5 percent have made unfounded demands for resident registration numbers. Furthermore, 50.3 percent of public institutions demand registration numbers for verification of identity, as did nearly 55 percent of websites operated by businesses.
BY SONG SU-HYUN [email@example.com]