Citizens are seething with anger as they confirm that their financial information has been leaked by their credit card companies. They are also gripped by apprehension as the leaked information could be used by financial scammers. 

In the nation’s worst ever data breach, more than 20 million people ― virtually all of the nation’s economically active population ― had their sensitive financial information leaked.

The leak occurred due to lax personal data management by the three credit card companies ― KB Kookmin Card, NongHyup Card and Lotte Card. An official of Korea Credit Bureau, a company that rates the creditworthiness of individual financial customers, illegally collected the client data from the card firms and sold it to people selling loans on behalf of banks.

The data breach has turned out to be more serious than initially thought, as the leaked data included not just credit card information but part of the personal data kept at the banks that settle credit card transactions for the three firms.

The Financial Supervisory Service said data breaches occurred not only at KB Kookmin Bank and NongHyup Bank, the settlement banks for KB Kookmin Card and NH NongHyup Card, respectively, but also at Woori, Shinhan and Hana banks as Lotte Card used them to settle transactions.

The FSS findings have made bank customers feel more insecure. To their surprise, some people have found that their bank information had been leaked even though they do not use or hold any credit card issued by the three card companies.

Prosecutors tried to ease the growing concerns among the public by saying that there was little chance of the leaked data being used by criminal rings as they confiscated the USBs of loan sales agents before they could sell them to other people.

The financial regulator also said criminal rings would not be able to produce fake credit cards using the leaked data because they did not include such key information as passwords and card validation codes.

Yet more than 1 million card users have already had their credit cards canceled or demanded reissuance as they felt increasingly insecure. Citizens should take care not to fall victim to phishing and smishing scams. They are advised to regularly check their online accounts and bank statements.

The main cause of the disastrous data breach is credit card companies’ lack of security awareness. One of the three card companies had not even been aware of the data theft for more than one year. To prevent recurrences, financial companies should change their current practices to manage security systems.

The financial regulator should also enhance its awareness of the importance of data protection. The repeated data breaches at financial companies stem partly from their lack of security awareness. The FSS should strengthen monitoring over financial firms’ security systems and toughen punishment against those that fail to protect client data.