Card companies’ personal data leak was wider

More than four-fifths of the personal information stolen from 104 million accounts at three credit card companies in January was found to have been resold again, contradicting the government’s earlier claim that it had contained the spread of the data.

On late Thursday, the Changwon District Prosecutors’ Office said it found that data from 83 million accounts was sold to seven private lending companies.

The office said it arrested five people working for the companies that bought and used the data to market the loans.

In January, prosecutors and top financial regulators including Strategy and Finance Minister Hyun Oh-seok and Financial Services Commission Chairman Shin Je-yoon said there was no chance the data purloined from KB, Lotte and Nonghyup could have been used for commercial purposes without the knowledge of the card holders.

When it first released the results of its investigation, the prosecution said because it secured a USB drive used by the thief to hold the data, there was no secondary leakage.

But following the prosecution’s revelation Thursday, rumors spread that the data had been widely traded.

The Financial Supervisory Service said yesterday it launched a re-investigation into Lotte and Nonghyup and will do the same with KB on Monday.

In January, the prosecution arrested a Korea Credit Bureau employee surnamed Park, who stole the data from the credit card companies, and a loan marketer surnamed Cho, who purchased some of the data.

Park downloaded the personal account information from KB, NH and Lotte Card while working as a development manager of a credit card fraud detection system for the card companies from May 2012 until the end of last year.

Park allegedly stole data from 53 million accounts at KB, 26 million at Lotte and 25 million at NH Nonghyup Card.

The data included the customers’ names, credit card numbers, resident registration numbers, bank accounts and phone numbers.

In January, the prosecution said Park sold information from 79.8 million accounts to Cho for 23 million won ($21,462) and there was no further spread of the stolen data.

But after the prosecution investigated Cho’s company, it found that the personal information was sold again to other loan peddlers.

There were three private lenders and four loan service companies that were operated by Cho’s relatives. The information from around 80 million accounts was sold in total to the seven companies.

“Nevertheless, improper use of the credit cards is unlikely as the leaked data does not include passwords,” said the prosecution. “Also, even though the information was used in loan marketing, it is unlikely it was used for financial crimes such as telephone phishing.”

But the news sent a new wave of fear among consumers who feel misled by the prosecution and authorities about the extent of the leaks.

“We arrested the first disseminator and illegal data collectors of the personal information and confirmed that there is no additional leakage,” said the Financial Services Commission head Shin Je-yoon at the National Assembly Policy Committee on Jan. 23. “We are confident that there is no secondary damage.”

Analysts recommended card holders check their statements since January 2012. The prosecution reaffirmed Friday that the leaks started in January 2012, not October 2012 as claimed earlier.

BY KIM JUNG-YOON, PARK YU-MI [kjy@joongang.co.kr]