Korean e-commerce firm Interpark
apologized Monday for a massive data leak earlier this year that exposed its users’ personal information.
This includes the names, addresses, email addresses, dates of birth and phone numbers of some 10.3 million users.
“On July 11, Interpark became aware that some of our users’ information had been stolen by a hacker group through an advanced persistent threat attack, and reported the hack to the police the next day,” said an official statement on the company’s website.
In such attacks, a hacker remains within the hacked system and continuously steals data, instead of making a onetime hit.
According to the National Police Agency’s Cyber Bureau on Monday, the attack took place in early May. Interpark became aware of this when the hackers demanded 3 billion won worth of Bitcoin, a virtual form of currency that allows for anonymity.
According to Interpark, sensitive information such as resident registration numbers and account passwords were not attacked.
“The hackers first gained access to an employee’s computer, and identified email patterns that were familiar to the employee before sending an email that contained the malware (and) opening a back door, which is why the employee was fooled,” a spokesperson for Interpark told The Korea Herald.
She said that the back door to Interpark’s system was closed as soon as the hack was revealed.
Although no critical information was leaked, according to the company, Interpark still faces criticism over initially keeping the hack a secret.
When asked why Interpark waited two weeks after the hackers’ demands to alert the public about the leak, the spokesperson said that it was because Interpark and the police wanted to prevent the hackers from erasing their tracks or going underground as long as possible.
“Once the leak was reported by the press, we decided to apologize to our customers right away,” she said.
However, users remain angry, particularly because Interpark changed its user agreement after discovering the hack to stipulate that users themselves were responsible for managing personal data.
Although Interpark denied any correlation between the two events, some users view it as the firm attempting to rid itself of responsibility for the hack.
By Won Ho-jung (email@example.com)