Latest case again sheds light on vulnerability of nation’s data security


A 30-year-old Seoulite recently went through a bizarre experience, receiving numerous phone calls every day suggesting that she buy a new smartphone.

What was odd was the fact that all the callers knew her two-year mobile contract was already over. They also offered promotions, recommending that she should make the shift to more advanced handsets running on the fourth-generation Long Term Evolution networks.

“When I told one of them that I bought a new LTE smartphone just a day before I received the phone call, they asked who I purchased it from and what kind of device I made the switch to,” she said, only wishing to be identified by her surname Kim. “It felt like he knew a lot about me when I was only talking to him for the first time.”

KT, the country’s second-largest mobile carrier, announced an apology last Sunday, stating that the personal information of 8.7 million of its subscribers had been hacked.

What is unexplainable, however, is that the hacking had been going on for about five months with KT unaware of what was going on.

“Any company could be hacked since many methods can be used to go past their security gates but what is disturbing is that months have passed by with the company not knowing about the breach,” said Lee Seong-chul, a professor of e-business at Korea National Open University.

“With KT being a telecom that deals greatly with customer’s private information, there needs to be more than just an apology.”

The National Police Agency said Sunday that a man surnamed Choi, 40, developed a hacking program with his co-worker and put it into use beginning in February.

Stealing the personal data of KT subscribers in small amounts over a long time, the group was successful in getting up to 10 different types of information from each user.

However, it is yet unknown what types of routes were used for the group to get the information.

The stolen information included customer names, mobile phone numbers, social security numbers, handset, information the date of service registration, the type of monthly payment plan, the user’s total payment fees and the handset switch date, according to the police agency.

With the obtained data, they were able to sort out which customers were most likely to change their mobile phones with the information already in possession, concentrating on that particular group in their marketing.

“We’ve offered an official apology because the data leak itself was our very own mistake, but we plan to wait until the police investigation is completed involving the issue to come up with a compensation plan,” said a KT official.

According to the company official, the police are currently looking into how exactly the customers’ personal data was utilized and how it came into the possession of Choi and his partner.

The Citizens’ Coalition for Economic Justice, however, demanded that KT release an immediate compensation plan to the 8.7 million subscribers and that they stop collecting private information like social security numbers.

The group also said that the company should come up with a comprehensive privacy protection scheme that is also effective.

“KT’s data leak case can be considered more serious than the case of any other company if the information of its fixed-line service customers, as well as mobile service subscribers, had also been lost for it’s the country’s top fixed-line service operator and once the backbone telecommunications network provider,” said Lee.

The country has seen a number of personal data leakage cases occur at private companies over the past few years, with SK Communications admitting its data leak affecting 35 million customers and online game company Nexon’s 13 million, both last year.

An industry source said that systems that could detect such security breaches and a better work attitude for the firm’s security team must be in place to prevent such happenings.

Some others said that a legal system that asks the firm to take the responsibility in such accidents must be built.

“The best method is to change a firm’s security network with the application of the latest technologies on a regular basis, but this requires a lot of time and money,” Lee said. “Not many companies could make the move in many cases but the mechanisms must be altered in their own time sets to lessen the possibility of a security breach.”

By Cho Ji-hyun (sharon@heraldcorp.com)