A decade-long legal battle involving a data breach that affected the majority of the South Korean population concluded last week. The court confirmed a compensation award of $48 million to a credit card company.
The Supreme Court of Korea has rejected the appeal of the defense and ordered the company to pay 62.3 billion won (approximately $48 million), along with compensation for delayed damages, to the corporate plaintiff. This decision comes after the plaintiff’s customer data was stolen in 2013 by an individual employed by the accused firm.
In 2016, KB Kookmin Card (KB) initiated legal action against Korea Credit Bureau (KCB), accusing it of irresponsibly placing a new employee, who had undergone merely a day’s training, in a position that entailed managing customer information. This employee subsequently managed to exfiltrate data belonging to KB’s customers. The volume of data compromised in this breach was approximately 53,780,000 records, surpassing the entire population of South Korea, which stands at around 51,300,000.
The final judgment, reached on January 25, came to public attention when local broadcaster SBS reported the news on March 15.
◇ Wrong person on the job
Founded in 2005 by 18 financial institutions in South Korea, Korea Credit Bureau (KCB) is a credit rating agency that offers various services, including a Fraud Detection System (FDS), to its clients. In 2012, KCB dispatched an employee to three credit card companies, including KB, to upgrade their FDS. The employee, surnamed Park, managed to download customer information from the three companies onto a USB flash drive during his assignment.
Between December 2012 and December 2013, Park illegally acquired a total of 104,000,000 records of personal data from inadequately protected computers at the three companies. Specifically, he stole 53,000,000 records from KB, 25,000,000 from NH Nonghyup Card, and 26,000,000 from Lotte Card. Subsequent investigations revealed that the affected firms had not implemented essential security measures, including USB device control software, to prevent such breaches.
The discovery that Park failed to access customer data at other credit card companies, thanks to their deployment of encryption software that blocked unauthorized access attempts, sparked significant criticism against the three compromised firms. This criticism intensified upon the public’s realization that these companies had failed to implement basic security measures, despite existing mandates from the nation’s financial regulator, the Financial Supervisory Service (FSS), regarding USB device controls at the time of the breach.
The data that Park downloaded contained 18 types of sensitive information, encompassing customer phone numbers and credit card numbers, among others sensitive information.
The stolen data was distributed to multiple parties. Initially, Park sold 79,800,000 records of personal data to a loan advertising agency for 16,500,000 won (approximately $12,500). Subsequently, this agency sold the same data to a loan broker for 23,000,000 won (about $17,400).
The three credit card companies remained unaware of the breaches for seven months, until prosecutors disclosed the incidents in January 2014. In October 2014, Park was sentenced to three years in prison. Furthermore, the Financial Services Commission (FSC) imposed a three-month business suspension on the three card companies, spanning from February to April 2014.
◇ Public awareness and amendments to privacy law
In reaction to the growing public outrage against the credit card companies, senior executives at these firms announced their resignations in quick succession, though it later emerged that most did not actually relinquish their positions. For instance, during the peak of public hostility in January 2014, a total of 27 executives at KB Financial Group, the parent company of KB Kookmin Card, declared their intention to resign. However, about a week later, the company accepted the resignations of only 3 out of the 27 executives.
In April 2015, South Korean citizens initiated a lawsuit against KB, NH Nonghyup, Lotte, and KCB. The court ruled that the accused companies must compensate each of their breach victims with 100,000 won (approximately $75), acknowledging the fact that the exposed data was unable to be retrieved.
Three months after the lawsuit, in July 2015, South Korea amended its privacy legislation. The Personal Information Protection Act was updated to include punitive damages for data breaches and to increase the level of sanctions. Under the new provisions, penalties could reach up to 10 years in prison and fines of up to 100,000,000 won (approximately $75,000).
Additionally, the Financial Services Commission (FSC) announced new guidelines for financial institutions, requiring them to collect only the minimum necessary information from their customers, enforce strict encryption on sensitive data, and obtain separate authorizations for sharing data with third parties, based on the level of necessity.
