8.7 mln KT customers have personal data leaked

8.7 mln KT customers have personal data leaked. July. 30, 2012 07:55. ramblas@donga.com coolj@donga.com.

“Hello customer, I have phoned you to introduce to you a new product that will help you get the latest handset model. You only have just two months before your mobile phone service contract expires.”

A 31-year-old office worker asked the above caller angrily, “How did you get my phone number?” The caller, a telemarketer, replied over the phone, “I am randomly dialing customers.”

The office worker still had a question. How did the telemarketer know of the exact expiration date of his mobile phone service contract?

It was through hacking. The personal profiles of 8.7 million KT (Korea Telecom) costumers were found to have been hacked en masse.

○ Hacking program customized for KT developed

Choi, a 40-year-old computer programmer accessed KT’s customer information query system for more than seven months from August last year, and produced a hacking program customized for KT. He had worked on program development, maintenance and repair for about 10 years. From February to July 15 this year, he hacked customer data and used it to promote products for the telemarketing company that he is running.

Choi also sold other telemarketing companies via the hacking program and data on mobile phone numbers and handset models. Through such illegal marketing and sales activities, he and accomplices reportedly earned at least 1.01 billion won (880,000 U.S. dollars).

The programmer developed the hacking program customized for KT because the company pays more compensation to telemarketing companies for their sales than other mobile carriers. KT pays a telemarketing firm 100,000 won (88 dollars) to 150,000 won (132 dollars) per case when a customer changes his or her mobile phone carrier or monthly rate system.

Personal information that Choi and others hacked and leaked included almost all key data including names, resident ID numbers, mobile phone numbers, mobile handset model names, monthly rate systems, dates of mobile phone purchases, and amounts of total subscription fees.

The hacking program stole customer information on a few individuals, as if KT’s sales agency is querying the customer information system. As a result, KT was unaware of the hacking practice for nearly five months.

The Cyber Terrorism Response Center at the National Police Agency said, “When the programmer sold the hacking program to other telemarketing firms, he secretively embedded malign codes and routed personal data that other firms stole from KT to his own server in real time,” adding, “He scrupulously prepared to commit the crime. The method of hacking he used was highly advanced as well.”

Police plan to conduct an additional investigation to find whether KT violated its technical and managerial obligation to protect personal data under the Information and Telecommunication Network Act.

After news of the hacking was made public, KT subscribers confirmed the leak of their personal data via the telecom giant`s website (www.olleh.com) Sunday. A 28-year-old man who confirmed leak of his data said, “The telephone company collects telephone service fees every month without delay, but pays little attention to the security of customer data,” adding, “If a class-action lawsuit is filed, I will participate.”

○ ‘Other phone service providers cannot be assured of security’

In connection with the incident, KT said, “We deeply apologize for leak of our customers’ invaluable information,” adding, “As we have seized all PCs and servers of people involved in the case and recovered personal data in entirety, there is little possibility for additional damage.”

But there is the possibility of secondary crimes such as stealing of personal identity and voice phishing, because telemarketing companies that bought the hacking program could have resold personal data that they collected. It is technically difficult to verify the practice of personal data being printed out on paper documents or handed over to others in a USB. Only when such data is sent via email or messenger services can records of data transfer be kept in servers.

Critics say giant IT companies such as KT have poor recognition of the importance of online security. Choi and his accomplices stole online administration accounts of people with KT sales agents, and accessed KT’s customer data management system as if they were KT’s sales agencies.

If things were operating properly, KT should have raised suspicion about the practice that a certain sales agency queried 8.7 million cases of personal data over a five-month period. KT’s internal security system failed to recognize this in real time, however. A computer security expert said, “Considering the way sales agencies query customers’ information in ordinary times, accidents similar to KT’s case can also occur at other telecommunication service providers any time.”

The Korea Communications Commission and the Public Administration and Security Ministry are considering revising laws and devise measures to levy administrative fines amounting to 1 percent of sales on a company that neglects the obligation on data protection, and recommend the suspension and dismissal of the CEO of the company concerned.