The mess over the nation’s worst-ever data breach involving some 20 million people continues despite the financial regulator’s efforts to contain the fallout.
Top financial officials have tried to ease concern among card holders who had their sensitive personal information leaked, by saying that they would not face subsequent damage as prosecutors have seized all stolen data before it could be distributed.
They have also advised the concerned card users to refrain from canceling their cards or demanding re-issuance, as even if financial scammers obtained the stolen data, they would not be able to produce fake cards because it does not include such key information as passwords and card validation codes.
Yet citizens are not convinced by the regulator’s assurances. They continue to flood the three credit card companies ― KB Kookmin, NongHyup and Lotte ― with demands for card cancellations or re-issuances. Since Monday, they have had to cancel or reissue more than 4 million cards.
Their concern is fueled by news reports that, counter to the prosecutors’ announcement that the stolen data has all been recovered, it is being traded by dealers of illegally acquired personal information.
Common sense tells us that the chance of the stolen data having been distributed would be high, given that the data breaches occurred between June 2012 and last December. But as financial officials note, there has thus far been no harm caused to the card holders.
To clear the confusion, prosecutors and financial officials need to investigate the allegations that the stolen data has already been distributed to some loan sales agents.
The financial authorities also need to mend the barn, although the horse has already been stolen. To placate angry citizens, the Financial Services Commission hurriedly announced a set of measures Wednesday. It said it would unveil a more detailed and comprehensive package next month.
The main cause of the disaster was the three card companies’ failure to comply with basic security procedures in dealing with customer data. Under the FSC guideline, they are required to encrypt disks and backup tapes containing confidential data to prevent data usage in case of loss. But they did not follow this simple procedure.
Their negligence allowed an official of the Korea Credit Bureau, which evaluates the creditworthiness of individual customers for the card companies, to illegally collect their customer data and sell it to loan sales agents working for banks.
The FSC plans to significantly strengthen punishment for leaking financial information. More importantly, it intends to disqualify loan agents who use stolen data and impose “staggering fines” on financial companies that earn money using illegally acquired information.
These measures are necessary to get rid of one important source of demand for stolen personal data. Yet to prevent recurrences, the FSC will have to include measures for nonfinancial companies as they are also vulnerable to data breaches.
Currently, many companies over various business fields collect personal details of their customers, even though they are not relevant to their businesses. This practice should not be tolerated anymore.