ASIA NEWS NETWORK
WE KNOW ASIA BETTER
What it takes to safeguard personal information
Publication Date : 03-02-2014
While South Korea is one of the most wired nations in the world, it is a laggard when it comes to protecting personal information. Despite the unending series of disastrous data breaches at public and private organizations, security awareness still remains woefully low among companies, regulators and citizens.
The recent debacle involving the three credit card companies - KB Kookmin, Nonghyup and Lotte - clearly shows how serious the problem is. Due to the card issuers’ security negligence, more than 100 million personal details of some 20 million people were stolen in the nation’s worst ever data theft.
The leaked data included not only such basic personal information as addresses, resident registration numbers and mobile phone numbers. They also included sensitive financial details, such as credit card numbers, expiry dates, bank account numbers and annual income.
While previous fiascos were caused mostly by hacking attacks, the latest one was attributed to an insider. The main culprit was an employee of Korea Credit Bureau, a personal credit ratings firm that developed for the three card companies a program to prevent fraudulent use of credit cards.
The KCB employee illegally copied truckloads of credit card user data onto a USB memory stick and sold it to a broker of stolen financial data, who in turn sold it to telemarketers of financial products and services.
He could access the vast amount of data because the card companies had left it unencrypted, a violation of the Personal Information Protection Act. Furthermore, the companies did not strictly controlled the use of portable storage devices on the corporate premises, allowing the KCB official to bring his USB stick in and out freely.
All this means the data theft was a man-made disaster that could have been prevented had the card companies complied with basic security procedures. They did not bother to follow the rules because they did not take security threats seriously.
A recent survey conducted by the Ministry of Security and Public Administration shows that the awareness problem is not limited to the three card companies. The 2013 survey found that about 73 per cent of the 2,000 companies polled had no department tasked with protecting personal data. What’s more, 96 per cent said they had not allocated any budget to the protection of personal information.
The survey suggests that information security culture is lacking in a large majority of domestic corporations. They fail to understand that information security is a part of essential business activities. To them, personal data protection is simply an expense rather than an investment.
Corporate security negligence is also encouraged by soft penalties. Last year, the Personal Information Protection Act was toughened. Under it, private or public companies that are found to have left personal information unencrypted are subject to fines of up to 30 million won.
However, the regulations applied to financial companies are much softer. Currently, the maximum fine for companies that leak personal information is merely 6 million won. Following the credit card debacle, the financial regulator announced it would raise the fine up to 5 billion won. Should a financial company earn a profit by using stolen personal details, it said, it could face a fine of up to 1 per cent of its sales revenue.
Security regulations for financial companies need to be further toughened, given that the financial industry is particularly vulnerable to data theft. Finance is an information business. Financial companies are becoming ever more dependent on information technology as clients demand more convenient services and quicker transaction speeds.
Yet information technology is changing constantly, increasing the risks of cyber attacks for financial companies. This poses challenges not only for financial companies but for the financial regulator as well.
To minimize the impact of security lapses, the government needs to curb corporate greed for personal details. Companies across industrial sectors are overly keen to collect customer information. Even pizza delivery companies reportedly collect resident registration numbers from clients.
The law on safeguarding personal information requires companies to limit the collection of personal details to the minimum extent necessary to achieve their business purposes. But this requirement has been ignored. The government needs to enforce the law more strictly and encourage companies to foster information security culture.
Citizens should also enhance their security awareness. The corporate practice of tenaciously collecting customer details will not go away unless consumers start to assert their rights to privacy.
Meanwhile, the latest data breach has rekindled the debate on how to reform the present resident registration system. In Korea, every citizen is given an unalterable 13-digit resident registration number, which is widely used to identify people in private transactions.
This system, while convenient, has a fatal weakness. It can facilitate identity theft and other types of fraud as one can easily create an account with many Korean websites using a stolen RRN. This drawback has been magnified in recent years as too many citizens had their RRNs leaked as a result of the successive large-scale data breaches.
The latest one at the three credit card companies has sharply amplified concerns about fraud, which cannot be allayed without allowing people to change their RRNs. To resolve the problem fundamentally, President Park Geun-hye told officials to find ways to identify people without using RRNs.
This is a big challenge for the government. And it will take time to come up with a viable solution. Yet no matter what kind of alternative the government presents, preventing data breaches will still require heightened information security awareness among companies, regulators and citizens.
Yu Kun-ha is chief editorial writer of The Korea Herald.