Ethical Performance
inside intelligence for responsible business


Financial services customers suffer massive data breach in Korea

February 2014

In early December last year, a District Prosecutors’ Office near Busan, Korea’s second city, announced there had been leaks of customer information from the Korean branches of Citibank and Standard Chartered Bank. About 137,000 pieces of information from the banks were sold to companies marketing loans.

This was not the first time. Over the past five years, about 10 major financial companies – both credit cards and banks – had suffered leaks. Employees or data security technicians had simply downloaded personal data and sold it to supplement their incomes. Despite the increasing attention paid to cyber security, there appeared to be a worrying lack of attention to ensure that access to personal data was not abused. Quietly, the Financial Services Commission (FSC) asked 16 companies to conduct internal inspections.

More recently this year, the regulator revealed that some 20m bank clients’ personal data, including bank account numbers, addresses and credit ratings, were leaked from three leading credit card firms -- KB Kookmin, Nonghyup, and Lotte. A leak also occurred at Kookmin Bank, which shared its customer data with its affiliated credit card firm.

A technician hired by the Korea Credit Bureau, a ratings firm that companies used to help improve their data security systems, stole the data. According to the FSC, the technician, now under arrest, stole personal information on 104m credit cards issued by the KB Financial Group, the NongHyup Financial Group, and Lotte Card from May 2012 to December 2013 by copying it all onto USB devices.

The FSC has instructed financial institutions to check their security. This month, it plans to announce comprehensive measures to protect personal data handled by financial firms. These are expected to include penalties such as heavy fines and the dismissal of senior executives at affected companies.

When news of the scale of the leaks became public, customers flooded the offices of affected banks and credit card firms to cancel or change their cards. Call centres and websites were downed by the upsurge in traffic. Within three days, almost 3 m people succeeded in cancelling their cards or applying for a new one.

Heads of the three credit card companies gave a joint news conference, bowing in apology before television cameras and promising compensation for any financial losses to customers. Civic groups announced lawsuits against the card companies. About 20 senior executives in credit card companies and banks have so far tendered their resignations.

UK & NI Ireland | Data Protection


3BL Media News
Sign up for Free e-news
Report Alerts
Job Vacancies
Events Updates
Best Practice Newsletter