Theft of Data Fuels Worries in South Korea
By CHOE SANG-HUN

SEOUL, South Korea — A string of senior executives at three credit card companies in South Korea offered to resign on Monday after a huge theft of client data that may have affected 20 million people in this nation of 50 million.

The case became known this month when prosecutors arrested a 39-year-old technician hired by the Korea Credit Bureau, a ratings firm that the credit card companies had hired to help improve their systems to protect client data. It was subsequently disclosed that the man stole personal information on 104 million credit cards issued by the KB Financial Group, the NongHyup Financial Group and Lotte Card.

The man, identified only his last name, Park, stole the data from May 2012 to December 2013, copying it onto a USB device, prosecutors said. The data included the names, phone and South Korean social security numbers, email and residential addresses, salaries, monthly card use and other credit-rating information of clients, the Financial Supervisory Service, a regulatory agency, said in a statement. In many cases, card numbers were stolen as well.

Prosecutors have also indicted two phone marketing company managers on charges of buying the stolen data from the technician. Prosecutors said they found no evidence that the data had circulated any further, but fears spread that the information may have fallen into the hands of financial scammers.

“Personal information was leaked but hasn’t been distributed,” Shin Je-yoon, the chairman of the Financial Services Commission, the government’s top financial regulator, told reporters Monday. “I see people are really worried that the information leak could lead to misuse of their credit cards, but such chances are slim.”

Still, angry clients were rushing to bank branches or flooding the card companies’ call centers and websites with inquiries on whether their data had been stolen. Some demanded new cards. On Monday, lawyers and civic groups were announcing lawsuits against the three firms.

The trouble was severe enough to force the government to take steps to try to ease the jitters. Prime Minister Chung Hong-won ordered the government on Monday to “significantly boost punishment” for those responsible.

Later in the day, the heads of the three credit card companies appeared in a joint news conference, bowing before television cameras and promising compensation for any possible financial losses to customers.

But the political mood further soured later in the day, as Mr. Shin, the top regulator, bowed before lawmakers for failing to prevent the theft. By Monday afternoon, senior executives of the credit companies began handing in their resignations.

South Korea, one of the world’s most wired nations, has been one of its most prolific issuers of credit cards. The government has encouraged the use of credit cards to fight corruption, a bane of the country’s corporate world, by making financial transactions easier to trace. Many people hold multiple credit cards.

A South Korean citizen can virtually live without carrying any cash. Every taxi, bus, bar, newsstand and restaurant takes credit cards.

But the country’s financial industry has also been plagued by a series of large-scale breaches of client information through hacking attacks or by their own employees, exposing how poorly local companies managed their confidential customer data.

In the world of cybersecurity, external threats have been considered the greater risk and traditional security defenses have focused on them. Antivirus solutions and firewalls were considered sufficient to keep outsiders from breaking into organizations. But now, with employees carting corporate data around with them on their personal mobile devices and storing proprietary data on their personal Dropbox and Google accounts, the risk of data loss from insiders is much greater. A new set of data security products is trying to protect data from insiders as well.

Security companies like Imperva, which is based in Redwood Shores, Calif., wrap additional security around valuable assets inside corporate and government data centers. Other companies like Splunk, a San Francisco software company, and Sumo Logic, a Redwood City, Calif., company, analyze data as it moves around an organization, looking for patterns and recognizing anomalies — like an employee’s transfer of unusually large troves of information from a corporate database — so they can alert information technology professionals to red flags in real time.

Still, security measures have to be used to be effective. South Korean regulators told reporters on Monday that the stolen data from the three credit card companies was not encrypted.

南韓上億信用卡 個資外洩看光光
傳朴槿惠、潘基文也受害 數十萬人要求停卡 擠爆銀行、癱瘓網站 3信用卡公司執行長 下台負責

南韓近日爆發該國最嚴重的信用卡個資外洩案，一億零四百萬張信用卡個資遭盜賣，至少兩千萬人受害，據稱連南韓總統朴槿惠與南韓籍聯合國秘書長潘基文的個資都遭竊。三家信用卡公司的執行長廿日同步宣布下台以示負責，律師和公民團體對三家信用卡公司提告，數十萬名憤怒的持卡人湧入銀行或打電話給信用卡公司客服中心，要求停卡。

紐約時報報導，本月稍早，檢察官逮捕在「韓國信用評價公司」，負責改善客戶資料系統安全的卅九歲朴姓技術員，後來檢察官發現，他盜賣包括國民銀行金融集團、農協銀行金融集團與樂天信用卡公司，所發行的一億零四百萬張信用卡個資。

檢察官指出，朴姓嫌犯從2012年5月到2013年12月竊取個資，複製到隨身碟。金融監督院指出，個資包括姓名、電話、南韓社會安全碼、電郵與住家地址、薪資、每月刷卡紀錄和其他信用評等資訊，許多客戶的信用卡卡號也外洩。

檢察官另以購買這批個資的罪名起訴兩家電話行銷公司的經理。檢察官說，並未發現這批個資繼續外流的證據，但民眾擔心個資已落到詐騙集團手中。

國民銀行信用卡公司執行長沈在吾、農協銀行信用卡公司執行長孫京植與樂天信用卡公司執行長朴相勳都宣布辭職。國民銀行金融集團旗下銀行與信用卡公司所有主管及樂天的其他八名主管也提出辭呈。

總理鄭烘原下令「嚴懲」相關人等。金融監督最高機構「金融委員會」委員長申齊潤因未能防杜此案，向國會議員鞠躬道歉。

韓聯社報導，截至21日零時止，這三大信用卡公司接到的重新發卡申請達到四十三萬件，加上註銷和停用申請數量，不再使用原有信用卡的客戶至少有六十三萬人。

三大信用卡公司雖加派數千人因應，但因剪卡民眾太多，客服電話根本打不通，相關網站也癱瘓，許多人跑到銀行直接申請減卡換卡，導致大排長龍。

南韓政府鼓勵國民用信用卡，藉由讓金融交易資訊容易追蹤打擊貪腐。南韓每一輛計程車、公車、每間酒吧、報攤與餐廳都接受刷卡，南韓人不隨身帶現金也能過活。

原文參照：
http://www.nytimes.com/2014/01/21/business/international/theft-of-data-fuels-worries-in-south-korea.html

紐約時報中文版翻譯：
http://cn.nytimes.com/asia-pacific/20140121/c21skorea/zh-hant/

2014-01-22．聯合報．A14．國際．編譯李京倫