Low-Tech Thief Steals Data on 100 Million Korean Credit-Card Accounts

Seoul's Gangnam District Photograph by Esch Collection

In Seoul, the world’s most wired city, the heist of data associated with at least 15 million people’s credit cards was decidedly low tech.

On Sunday, Korea’s Financial Supervisory Service, the federal regulator, disclosed that a massive breach of records maintained by Korea Credit Bureau, a private credit rating company, had allowed unauthorized access to 105.8 million accounts—data that were then sold to loan and financial services marketing companies. The stolen information included names, credit card and bank details, passport numbers, and home addresses and phone numbers.

Public outrage quickly followed, as executives at several major credit card companies that had used KCB’s services offered to resign. This week huge lines have snaked around the offices of such major credit card issuers as Lotte Card as anxious customers applied for their credit cards to be reissued. Reuters has reported that multiple lawsuits against three major Korean credit card companies have already been filed.

The largest breach of personal data ever in tech-savvy Korea didn’t require any equipment more advanced than a portable hard drive. The thief had worked as a KCB contract technician in the fraud-prevention department. Over a period of at least 11 months last year, he had simply copied and downloaded millions of credit card numbers, bank details, and other information. And then he sold the data.

One lesson from the scandal, Tom Coyner, a business consultant in Seoul whose past work has included selling credit card protection software, is that “the most common means of stealing computer data is by employing psychological rather than technical means.” That doesn’t mean that fancy biorecognition technology—such as thumb swipes or iris scans for log-ins—and encryption software aren’t valuable, but they’re useful only if the person entrusted to use them is both trustworthy and careful to avoid unintentional and intentional breaches. “Most often a thief has established the trust and false confidence” of his targets, says Coyner. “Genuine data protection comes down to technical safeguards working in tandem with strictly enforced procedures and policies.”

Korea has the world’s highest number of credit cards per person—five—and credit cards were used for nearly two-thirds of consumer spending last year. That’s despite a new government program, called the National Happiness Fund, meant to curb credit card usage and worryingly high levels of consumer debt. In 2012, the ratio of household debt to disposable income in Korea exceeded that in the U.S. in 2007 on the brink of the housing bust.

The case isn’t likely to produce any Erin Brockovich-like consumer heroes. According to Sean Hayes, an attorney in IPG Legal’s Korea Practice Team, there’s “no such thing” as a class action in Korea; it’s “not possible under Korea law.” That’s because “companies are worried about class actions, and their political power has kept the system out of the courts.” It is possible for multiple cases to “be handled by the same judge panel. Each case, however, is separate, and a class member does not represent the group.”

At such stressful times, some might be tempted to turn to “retail therapy” to ease nerves—but any Gangnam shopaholic accustomed to putting new shoes or handbag purchases on the plastic might now have second thoughts.

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE