Recently, messages advertising all sorts of gambling sites are constantly ringing our phones. That’s because there has been a nationwide privacy-related accident in the credit card companies. The number of data leaked is about 10 billion which means that the majority of the country’s personal information is secretly leaked out. What is the reason that our personal profiles that should be protected by companies have been exposed to identity theft? By looking a full account of the accident, we need to find out the ways to keep safe the credit information of our nation.
(1) Outline of the event
On January 8th 2014, Changwon District Prosecutor’s Office first published information concerning the case of data leakage from card companies. This incident became the nation’s biggest data breach case ever and according to the report the case has amounted to the loss of some 140 million files. The criminal negligence that caused this event is the actions of the personnel at an outsourcing business that developed a backup system for credit card firms. A 39-year-old surnamed Park who is the deputy head of the KCB co. has been charged with the illegal obtainment and distribution of confidential data from KB Kookmin Card Co., NH Nonghyup Card Co. and Lotte Card Co. Park is also accused of stealing the client data and selling them to advertising agencies and other lenders. According to the investigation, the incident occurred in October, 2012. The thing is that credit card firms did not find out about this fact until the police authorities publish their report on January, 2014.
The data spill of the three credit card firms affected one out of every two citizens of South Korea. The leak included essential financial information including resident registration number, card and account number, office address, home address, annual income and even the sum of credit card use record. In addition, there was data related to credit card use, so the secondary damage like the forgery of credit cards or financial fraud is possible.
(2) The cause of information breach
Data breaches are not a recent issue. As our society has shifted to a credit-oriented society in the 21C, various kinds of crimes using personal information have emerged, and the credit card firms holding different kinds of private information have become a target for various crimes. Yet regardless of having similar incidents in the past, the faults haven’t been quickly corrected, and as a result there have been continuous similar incidents thereafter. Still, there are several defects that need to be rectified in order to prevent a recurrence of this recent event.
First of all, South Korea credit card companies have been severely insensitive when it comes to security. The actual data breach occurred in 2012, and the credit card firms discovered this event one year after it occurred. What was worse, if there had not been an announcement by the prosecutor’s office, this case might have escaped the card companies’ notice. Besides there’s a problem in the system of security in that an employee of an outsourcing company could easily take the companies’ private information by USB. A lot of financial companies are neglecting management, and have entrusted security to outsourcing companies in order to reduce high security related costs. This attitude of looking for the easy way has caused an incessant leakage of personal information.
Also, light punishments for those committing information related crimes is another contributing factor. The restrictions imposed on financial companies concerning data breach have been trivial in the past. In reviewing foreign cases, when it comes to identity theft, governments have imposed over 3 billion dollars in restitution for information related crimes. On the other hand, our country just inflicts a fine of six million won and gives the penalty to the organization. Such a light punishment will never avert criminals from the dangers of identity theft.
Moreover, the Credit Information Use and Protection Act regulated by the Financial Services Commission does not follow the basic rules of the Personal Information Protection Act regulated under the Constitution. In the Personal Information Protection Act, there’s a provision that when using or collecting personal information, there must be the subject’s consent. However, this article was not applied to the Credit Information Use and Protection Act. This has allowed customers to be exposed to various credit crimes.
(3) Stance of government, card firms, and civic organization
Concerning the credit card companies’ information breach incident, the government has been sharply criticized. President Park Geun-hye has pointed out that the indiscriminate collection of private information, disregard for basic process of security, and the application of illegally leaked information has caused the country’s worst personal data leakage incident. In addition, President Park blamed companies for pursuing their own profit, instead of being customer-oriented. The government is seeking countermeasures to prevent customers from suffering these damages again. In addition, President Park ordered her cabinet to explore alternatives to the current system by reviewing polices used in other countries. Lastly, she emphasizes that she will argue that responsibility be strictly enforced concerning the damage that has occurred.
As representative of the three credit card companies,Shim Jae-oh, president of KB Card, stated that the companies will try their best to assist the prosecution‘s investigation, and also conduct self-investigations so as to prevent further damages to customers. They also promised to pay for any financial losses that may result from the leaks. Lotte Card and NH Card made similar apologies and constructed plans for compensation.
Citizens are demanding to the replacement of the current resident registration number system in the wake of the country’s personal data leakage incident. The public remains skeptical of the safety and security of their personal data and financial assets. There are claims that the current resident registration number system’s fundamental problem can not be solved without eliminating the system’s elements of allowing the invasion of human rights. Hence civic organizations have called for resident registration number, which is a ‘master key’ in any sorts of information, to be abolished.
(4) The Countermeasures after information breach
To begin with, at the personal level, it is recommended that one cancel credit cards and ask for new ones to be issued. When checking out privacy-related damage, customers have to use official Web sites, and never click on any URL that comes.
Next, on an industrial level, the card companies need to minimize the damage to customers and try hard to restore the public’s trust. Also, precautionary measures are important to prevent the recurrence of such an accident. Lotte group held a ‘Lotte Group Information Protection Committee’ to recheck inner information security system and discuss further measures for strengthening information protection. They plan to restrict the authorities accessing to the customers’ personal information, and enforce procedures concerning the access to information allowed to outsourcing companies. Also, Lotte group announced that constant inspections will be conducted.
Lastly, on a national level, the government needs to levy punitive penalties on the three credit card companies involved and find an institutional strategy that prevents any reoccurrences of this incident. As a result of this huge information breach incident, credit card companies will face three-month suspensions and high-level officials including each company’ CEOs resigned as a sign of their deep regret. However, these punishments are not enough to prevent the reoccurrence of such an incident. In order to guarantee the rights of customers, the Democratic Party has called for the institution of punitive damage reimbursement, and a class-action suit. A punitive damage reimbursement is the system in which customers may receive compensation considering the occurrence of an illegal behavior that deserves ethical condemnation. A class-action suit is a collective action system that simplifies complicated legal procedures for victims who share similar cases. Through devising its response, the government should try to restore the confidence of financial consumers.
South Korea became one of the world’s top users of credit cards. Every economically active population possesses over 5 credit cards on average, and the percentage of those using credit cards in consumption expenditure is now almost 60%. The most severe damage caused by this incident is that it damaged the public‘s confidence, which is the fundamental in a credit using society. In losing public trust, the financial companies whose business is based on consumer’s confidence are facing their greatest crisis. In this sense, the selling and buying of the confidence of the public may not be allowed to continue in the future.