The theft of personal information from more than 100 million South Korean credit cards and accounts, reportedly including those of President Park Geun-hye and UN chief Ban Ki-moon, has ignited a storm of anger and litigation against credit firms.
Worried Koreans on Tuesday packed into branches of one of the banks hit by the theft to ensure their money was safe, while lawyers said 130 people joined a class action suit against their credit card providers in what is expected to be the first of multiple litigations.
“Of course I’m angry. Anyone might know when I pay my credit card bills, let alone my phone number and where I live. I might as well keep all my money in my closet,” said one card user, Lee Young-hye, outside a bank branch.
The biggest breach of personal privacy ever in South Korea has further highlighted the vulnerability of credit card information after tens of millions of US cardholders’ details were stolen from retailer Target during the holiday shopping season.
South Koreans on average have more than four credit cards, something that has contributed to one of the highest levels of personal debt relative to the size of the economy in the developed world.
The data security breach affected around 15 million cardholders, according to official estimates, by far the largest in a series of such scams against financial firms in South Korea going back to 2011. Some previous attacks involved hackers believed to originate from North Korea, but this one seems to have been an inside job.
Financial regulators said a contractor with the Korea Credit Bureau, a private firm that manages the credit information of millions of Koreans for financial services providers, simply loaded details of 105.8 million accounts held by KB Kookmin Card, Lotte Card and NH Nonghyup Card onto a portable hard drive.
The technician was allegedly working on forgery-proofing credit cards when he committed the theft in February, June and December last year, according to regulator Financial Supervisory Service (FSS), citing the prosecutor’s office leading the investigation.
The man then sold the information to at least two people including a loan marketer and a broker, the FSS said. The contractor and at least one other person have been arrested.
VICTIMS SUE, DEMAND ANSWERS
The first class action lawsuit was filed against the three credit card companies late on Monday, a day after the FSS revealed the full scale of the theft, according to the law firm representing them.
The victims are each claiming 110 million won (HK$800,000) in compensation. Lawyers said they expected more lawsuits to come, as internet chatrooms and social media seethed with complaints about the security failure.
“We are preparing additional lawsuits regarding the case and are receiving applications from victims,” an official at the law firm leading the litigation said.
Cho Yeon-haeng, president of Korea Finance Consumer Federation, a customer rights group, said: “Proving actual damages will be very difficult, which means at best nominal compensation for emotional injury.
“What is needed is stopping repercussions by re-issuing all the affected credit cards,” he added.
The stolen information included names, home addresses, and phone numbers, bank account numbers, credit card details, identification numbers, income, marriage and passport numbers.
The FSS said credit card passwords were not stolen, although this was cold comfort to South Koreans for whom most credit card transactions simply require a card swipe and signature - without the need for a chip and pin process. Some outlets such as home shopping channels do not even need a signature.
South Korean media reported that President Park and UN Secretary General Ban were among those whose information was stolen, although government officials and the card firms declined to comment. Park’s office declined to comment, while Ban’s office could not be reached to comment.
Executives from KB Kookmin Card, Kookmin Bank, NH Nonghyup Card, Lotte Card and Korea Credit Bureau, which hired the contractor, offered to resign as investigators probed how such a massive data theft could have occurred so easily.
Credit card spending amounted to 451 trillion won in 2012, accounting for 66 per cent of the country’s private consumption, according to data from the Credit Finance Association of Korea.
The Nilson Report, a California trade journal that tracks the payments industry, said in its August issue that global card fraud rose to a record US$11.3 billion in 2012, from just under US$10 billion the year before.
Nearly half the losses occurred in the United States, helped by the lack of the more advanced card readers.