Card Customer Information Leaked in South Korea
5 February 2014
Personal data kept by three Korean card companies have been leaked. The number of leaked accounts exceeds 100 million, double the South Korean population of approximately 50 million. Although similar types of fiascos have happened in the past, this is one of the biggest leak incidents prompting card companies to revisit their efforts on maintaining sound risk management to prevent such a serious situation. I visited a bank when this fiasco happened and there were more than 70 people waiting to either change or cancel their credit cards. Card companies’ call center lines were also flooded for over a week and according to statistics released by the government, there were some 840,000 card secessions and approximately 6 million card close and reissuance as of February 1. Looking at it closely, the leak started from one employee at a credit bureau. This person was on loan to the card companies to develop a system to prevent loss, theft and forgery of cards. The regulator announced that they already arrested the suspect and retrieved all leaked information. Therefore, they said that they do not expect secondary damages from this incident. However, consumers are advised to be on the alert for secondary damages other than card forgery; e.g., smishing (SMS phishing) and voice phishing. This credit card fiasco occurred because the firms ignored basic compliance. The card companies should have encrypted customer data and not allowed third party staff to use USB memory devices. This fiasco reflects card companies’ low awareness of risk management. Regulations regarding customer data have been developed but card companies didn’t follow them appropriately. Both the regulator and card companies should reconsider initiatives to prevent a recurrence. Also, card companies need to not only upgrade data centers and peripheral systems but also thoroughly educate all staff about customer information protection. Although advanced systemization has been developed, the responsibility of each employee is still extremely important and card companies should keep in mind that they are highly responsible for keeping customer data safely.