If you didn’t know, now you know: there probably shouldn’t be any expectation that credit card information—or any personal details stored in digital form—is completely safe from hackers. Just as shoppers in the United States were grappling with the theft of 70 million credit card accounts from Target, comes word that credit card data for nearly half of all South Koreans has been purloined. More than 20 million South Korean credit card accounts, including those belonging to President Park Geun-hye and United Nations Secretary-General Ban Ki-moon, were part of the trove plundered in the cyberheist.
The data—including names, identification numbers, income, marriage and passport numbers—was stolen by a computer contractor working for the Korea Credit Bureau, a firm that computes credit scores for consumers and businesses. Ironically, the contractor was ostensibly there working on a project aimed at helping to make credit cards forgery-proof. But from what investigators have been able to piece together, the technician took advantage of the access the credit bureau has to databases run by KB Kookmin Card, Lotte Card, and NH Nonghyup Card, three of the nation’s leading credit card issuers. In February, June, and December 2013, the contractor simply downloaded data to a USB stick and walked out with it. Bad as that easy access was, what’s worse is the fact that the data was unencrypted. Worse still was that the credit card firms didn’t even realize that the information had been copied until investigators pulled the wool from over their eyes.
The entrepreneurial hacker immediately turned the cache into cash; according to officials at the Financial Supervisory Service (FSS), he sold the information to a couple of people, including a loan marketer and a broker. Details regarding the caper began to come out when the contractor and one of the people to whom he sold the data were arrested.
The three companies whose databases were copied issued public apologies and assured the public that steps are being taken to shore up security. Cho Yeon-haeng, president of Korea Finance Consumer Federation, a customer rights group, told Reuters that, “What is needed is stopping repercussions by re-issuing all the affected credit cards.”
Meanwhile, the Financial Services Commission, the country's national financial regulator, issued a statement saying that the credit card firms will cover any financial losses related to the incident. But that hasn’t stopped consumers from filing lawsuits against the credit card companies because of the security lapse. A class-action lawsuit was filed on Monday, one day after the FSS revealed the extent of the data theft.
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.
