You are here

South Koreans seethe, sue as credit card details swiped

By Reuters - Jan 21,2014 - Last updated at Jan 21,2014

SEOUL — The theft of personal information from more than 100 million South Korean credit cards and accounts, reportedly including those of President Park Geun-hye and UN chief Ban Ki-moon, has ignited a storm of anger and litigation against credit firms.

Worried Koreans on Tuesday packed into branches of one of the banks hit by the theft to ensure their money was safe, while lawyers said 130 people joined a class action suit against their credit card providers in what is expected to be the first of multiple litigations.

“Of course I’m angry. Anyone might know when I pay my credit card bills, let alone my phone number and where I live. I might as well keep all my money in my closet,” said one card user, Lee Young-hye, outside a bank branch.

The biggest breach of personal privacy ever in South Korea has further highlighted the vulnerability of credit card information after tens of millions of US cardholders’ details were stolen from retailer Target Corp during the holiday shopping season.

South Koreans on average have more than four credit cards, something that has contributed to one of the highest levels of personal debt relative to the size of the economy in the developed world.

The data security breach affected around 15 million cardholders, according to official estimates, by far the largest in a series of such scams against financial firms in South Korea going back to 2011. Some previous attacks involved hackers believed to originate from North Korea, but this one seems to have been an inside job.

Financial regulators said a contractor with the Korea Credit Bureau, a private firm that manages the credit information of millions of Koreans for financial services providers, simply loaded details of 105.8 million accounts held by KB Kookmin Card Co. Ltd., Lotte Card Co. Ltd. and NH Nonghyup Card onto a portable hard drive.

The technician was allegedly working on forgery-proofing credit cards when he committed the theft in February, June and December last year, according to regulator Financial Supervisory Service (FSS), citing the prosecutor’s office leading the investigation.

The man then sold the information to at least two people including a loan marketer and a broker, the FSS said. The contractor and at least one other person have been arrested.

Victims sue, demand answers

The first-class action lawsuit was filed against the three credit card companies late on Monday, a day after the FSS revealed the full scale of the theft, according to the law firm representing them.

The victims are each claiming 110 million won ($103,400) in compensation. Lawyers expect more lawsuits to come, as Internet chatrooms and social media seethed with complaints about the security failure.

“We are preparing additional lawsuits regarding the case and are receiving applications from victims,” an official at the law firm leading the litigation said.

Cho Yeon-haeng, president of Korea Finance Consumer Federation, a customer rights group, said: “Proving actual damages will be very difficult, which means at best nominal compensation for emotional injury”.

“What is needed is stopping repercussions by re-issuing all the affected credit cards,” he added.

The stolen information included names, home addresses, and phone numbers, bank account numbers, credit card details, identification numbers, income, marriage and passport numbers.

The FSS noted that credit card passwords were not stolen, although this was cold comfort to South Koreans for whom most credit card transactions simply require a card swipe and signature — without the need for a chip and pin process. Some outlets such as home shopping channels do not even need a signature.

South Korean media reported that President Park and UN Secretary General Ban were among those whose information was stolen, although government officials and the card firms declined to comment. Park’s office declined to comment, while Ban’s office could not be reached to comment.

Executives from KB Kookmin Card, Kookmin Bank, NH Nonghyup Card, Lotte Card and Korea Credit Bureau, which hired the contractor, offered to resign as investigators probed how such a massive data theft could have occurred so easily.

Credit card spending amounted to 451 trillion won ($424.01 billion) in 2012, accounting for 66 per cent of the country’s private consumption, according to data from the Credit Finance Association of Korea.

The Nilson Report, a California trade journal that tracks the payments industry, indicated in its August issue that global card fraud rose to a record $11.3 billion in 2012, from just under $10 billion the year before.

Nearly half the losses occurred in the United States, helped by the lack of the more advanced card readers. (Reuters) — Separately, the US government provided merchants with information gleaned from its confidential investigation into the massive data breach at Target Corp., in a move aimed at identifying and thwarting similar attacks that may be ongoing.

The report titled “Indicators for Network Defenders” brings to light some of the first information gleaned from the government’s highly secretive probes into the Target breach and other retail hacks, including details useful for detecting malicious programmes that elude anti-virus software.

“It’s a shame this report wasn’t released a month ago,” said Dmitri Alperovitch, chief technology officer of the cybersecurity firm CrowdStrike. “It has been frustrating for some retailers because it has been incredibly difficult for most firms to get information. It has not been forthcoming.”

No. 3 US retailer Target disclosed the theft of some 40 million payment card numbers and the personal data of 70 million customers in a cyber attack that occurred over the holiday shopping season. Neiman Marcus also said that it too was victim of a cyber attack, and sources have told Reuters that at least three other well-known national retailers have been attacked.

The document noted that an underground market for malicious software to attack point-of-sale, or POS, terminals has flourished in recent years. Three of the most popular titles for the malicious software include BlackPOS, Dexter and vSkimmer.

“We believe there is a strong market for the development of POS malware, and evidence suggests there is a growing demand,” the report, obtained by Reuters, warned.

The secret service, which is heading up the investigations into the cyber attacks, has declined to comment on what it has learned or identify victims besides Target and Neiman Marcus.

Armed with information

John Watters, chief executive of the security intelligence firm iSIGHT Partners which helped draft the document, said that the government decided to provide information to retailers so they can determine whether their systems have been compromised by hackers.

“The point of getting the technical artifacts out there is that people can go out there and examine their systems and see if they have been compromised,” said Watters, whose firm has helped the secret service in its investigations of retail breaches.

“Now they are armed with information and they can go do something about it.”

A Department of Homeland Security official said the report was drafted to provide the industry “with relevant and actionable technical indicators for network defence”.

The document said that an advanced piece of software dubbed the POSRAM Trojan, was used in the recent attacks.

POSRAM is a type of RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text.

While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.

POSRAM succeeded in evading detection by anti-virus software when it infected the Windows-based point-of-sales terminals, according to the report.

“This report was generated so that we could get it into the hands of commercial entities so that they had information they needed to protect themselves,” iSIGHT Partners Senior Vice President Tiffany Jones told Reuters.

up
41 users have voted.

Newsletter

Get top stories and blog posts emailed to you each day.