Massive Credit Card Data Theft Hits 20 Million South Koreans

Image by Flickr User Don Hankins (CC BY 2.0)

Image by Flickr user Don Hankins (CC BY 2.0)

An unprecedented large-scale theft of customer data in South Korea has affected 20 million people, or about two-fifths of the country's entire population.

The data was lifted by a consultant working for a personal credit rating firm, Korea Credit Bureau, who accessed the user databases of three major credit card companies and sold the information to phone marketing companies.

The dimension [ko] of the confidential information stolen is truly terrifying: Not only basic information such as name, phone number and social security number were taken, but also critical data that could lead to serious abuses, such as credit card expiration date, annual income, residential status, credit limit, credit history and credit records. In some cases, as many as 21 kinds of personal information were stolen.

Right after the news broke, furious customers not only flocked [ko] to the card companies’ local stores, but shared via Twitter a very long list of their stolen personal data, followed by sarcastic comments and downright curses aimed at the firms and authorities: 

Name, social security number, card number, home phone, home address, cell phone number, work address, work position, work place official name, residential status, password question, credit card limit, info of credit card by other firms, credit rating, bank account linked to the card… This kind of info was stolen. But still they say don't worry because at least the CVC (Card Verification Code) number was not stolen. I just want to punch them in the mouth. 

@_2on_:성명 주민번호 휴대전화 자택전화 자택주소 직장정보 카드번호 유효기간 카드정보 결제정보 신용한도 연소득 이메일 직장번호 직장주소[…] 비번도 알려줘라

@_2on_: My name, social security number, cell phone number, home phone and address, work place info, card number, expiration data, card info, card payment info, credit limit, annual income, email, work number, work address have been stolen[…] Why don't you just give away my password as well?

Authorities try to assuage public anger by stressing that the breach has not yet lead [ko] to any real abuses, and several days later, released a package of counter measures [ko], which included more severe punishments placed on the affected firms (suspension of business and higher fines); limitations on financial firms from collecting unnecessary customer information and trading it to a third party; an extension of card customer service hours; and a five-year limit on storing previous customer data. The card companies vow to offer full compensation for the losses and reissue new cards upon request. Not many are satisfied.  

They need to know that is is much easier now to find someone whose info has not been stolen. Reissuing credit cards upon quest? If that is the most effective way, then they should replace every customers’ cards, not just someone who requests it.

The most unpopular measure regulators announced was creating an additional step in the identification process, meaning more hassle for customers: 

It is the companies who leaked the info, but it is the customers who have to bear with the inconvenience caused by the incident. What weird logic. RT @tebica: Authorities are now announcing comprehensive measures against the personal information breach and one of their measures, “adoption of one more identification step when making credit card transactions”, makes people shudder.  

It is not the first data theft of a national scale, but is certainly one of the largest. Many called for more fundamental measures. Twitter user @leesns tweeted:

How many times have we seen thefts of personal information? The current social security number system no longer works effectively in identifying users, but instead has became a tool that can easily be abused by criminals. We should either revamp or scrap the social security number system. And re-issue every credit card and stop firms from trading collected customers’ info.

3 comments

Join the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.