Card Customer Information Leaked in South Korea
Create a vendor selection project & run comparison reports
Click to express your interest in this report
Indication of coverage against your requirements
A subscription is required to activate this feature. Contact us for more info.
Celent have reviewed this profile and believe it to be accurate.
5 February 2014KyongSun Kong
Personal data kept by three Korean card companies have been leaked. The number of leaked accounts exceeds 100 million, double the South Korean population of approximately 50 million. Although similar types of fiascos have happened in the past, this is one of the biggest leak incidents prompting card companies to revisit their efforts on maintaining sound risk management to prevent such a serious situation. I visited a bank when this fiasco happened and there were more than 70 people waiting to either change or cancel their credit cards. Card companies’ call center lines were also flooded for over a week and according to statistics released by the government, there were some 840,000 card secessions and approximately 6 million card close and reissuance as of February 1. Looking at it closely, the leak started from one employee at a credit bureau. This person was on loan to the card companies to develop a system to prevent loss, theft and forgery of cards. The regulator announced that they already arrested the suspect and retrieved all leaked information. Therefore, they said that they do not expect secondary damages from this incident. However, consumers are advised to be on the alert for secondary damages other than card forgery; e.g., smishing (SMS phishing) and voice phishing. This credit card fiasco occurred because the firms ignored basic compliance. The card companies should have encrypted customer data and not allowed third party staff to use USB memory devices. This fiasco reflects card companies’ low awareness of risk management. Regulations regarding customer data have been developed but card companies didn’t follow them appropriately. Both the regulator and card companies should reconsider initiatives to prevent a recurrence. Also, card companies need to not only upgrade data centers and peripheral systems but also thoroughly educate all staff about customer information protection. Although advanced systemization has been developed, the responsibility of each employee is still extremely important and card companies should keep in mind that they are highly responsible for keeping customer data safely.