KT safety system easily cracked by novice hackers
KT Chairman Hwang Chang-gyu apologized yesterday for a massive information leak at the company, which compromised the personal data of about 12 million clients. He made a public apology, bowing three times, yesterday at the KT headquarters in central Seoul. [NEWSIS]
“We have no excuse for another information leak following similar accidents in 2012, despite our pledge to strengthen the security system. It is so shameful for KT .?.?. to have had two major leaks of customer information,” Hwang said yesterday at the mobile carrier’s headquarters in downtown Seoul.
“We will make swift innovative changes by employing all experts, including those from outside, and thoroughly rectify past wrongdoings so that KT can become an industry leader,” he added.
Hwang, who officially became KT chairman in late January, said the company will come up with measures to prevent secondary damage to clients whose information was leaked.
However, he did not elaborate further, stating that KT has not yet received the investigation report, which would provide exact details that would help the company in more accurately carrying out damage control.
“We are truly sorry that we cannot answer all your questions at the moment,” Hwang said.
On Thursday, it was reported that KT’s system was hacked, compromising 12 million clients. The data stolen included clients’ resident registration numbers, account information and addresses - crucial information that can be used in fraud or identity scams.
The incident comes just two months after three major credit card companies were involved in the nation’s largest breach of personal information, which not only tarnished the country’s reputation as an information technology powerhouse but also raised concerns regarding how companies manage and protect the personal information of their clients.
But perhaps more concerning was how easily KT’s security system was cracked.
According to the Incheon Metropolitan Police Agency, those responsible for the leak were able to access the personal data using an extremely simple hacking program that automatically entered nine random numbers on the website’s search engine to look up individual clients’ smartphone charges.
The hacker, surnamed Kim, 29, reportedly created the program and based it on another popular hacking program, called Paros, and attempted to hack the three major mobile carriers - SK Telecom, KT and LG U+ - through their websites.
Apparently, among the three, KT was the easiest to access.
Kim stole information from 200,000 to 300,000 KT clients each day over the past year through KT’s website, olleh.com. The hacker then turned the lists of names to a smartphone retailer in Incheon - who was only identified as Park by the authorities - in exchange for 3 million won ($2,826), according to police. Additionally, every time Park sold a smartphone using the list, Kim received 5,000 won.
Later on, Kim included a 38-year-old man, surnamed Jung, in expanding the business by using the stolen data from KT’s clients and setting up a telemarketing company.
They hired 20 telemarketers, who were tasked with calling up customers whose service contracts with the mobile carrier were coming to an end and asking if they were interested in a new smartphone.
The trio sold more than 150 smartphones each day using illegally obtained data - an exceptional feat considering most other smartphone retailers struggle on average to sell even three or four phones daily. In total, they sold approximately 11,000 new smartphones worth 11.5 billion won, authorities said.
KT said that as soon as it receives the list of clients whose information had been exposed, it will set up a website that individuals can use to check whether they have been victimized.
Over the past 10 years, the mobile carrier’s system has been compromised multiple times.
In 2004, the personal information of 920,000 clients was exposed, including names, phone numbers, resident registration numbers and email addresses.
Even the make and model of their phones was laid bare.
Later, seven KTF employees were found to have sold that data to telemarketing companies. KTF merged with KT in 2009.
After the episode, KTF created a client information protection center that operated at its headquarters.
In July 2012, KT’s system was hacked again, compromising the personal data of 8.7 million customers. The company announced that it would create a system by the third quarter of 2013 that would prevent its clients’ information from being hacked, though the system has yet to be installed.
Enraged by KT’s lack of security, legal threats have mounted.
“There has been a flood of phone calls by the victims of this incident inquiring about filing a lawsuit,” said a lawyer at a local law firm. “It’s also possible that some clients who proceeded with a lawsuit against KT in July 2012 could be added for this incident.”
The Ministry of Science, ICT and Future Planning, in the meantime, said it will launch a privacy technology task force and discuss fundamental preventive measures.
It has also embarked on an on-site investigation in cooperation with the Korea Communications Commission and private technology experts.
BY KIM JUNG-YOON [kjy@joongang.co.kr]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)