Leaks of personal information ruin confidence in digital economy

Concerns of many have become a reality. More than 100 million sets of personal data were leaked from a financial institution. An employee of an outsourcing company illegally collected client data from Nonghyup Card (25 million sets), KB Kookmin Card, (53 million sets) and Lotte Card (26 million sets) in October 2012, June 2013 and December 2013, respectively. Some of the leaked data were sold to a loan advertising agency and a loan collection agency. A total of 3.18 million sets of personal data had been leaked from major financial institutions on eight occasions since 2011 until this recent leak occurred at an unprecedentedly massive scale.

Once client data are leaked, responsible businesses rapidly make apologies. Financial supervision authorities launch an urgent inspection and vows to prevent any reoccurrence. However, damages continue to expand.

The direct cause of the leak was credit card companies’ loose security against the employees of outsourcing companies. They allowed the external employees to carry USB hard drive when accessing the personal data processing system. Besides, the companies gave them excessive authority, and the client data were not securely coded.

The bigger problem here is that some card companies have not been even aware of the leaks for more than one year. People are also concerned over secondary damages caused by the leaks. Reportedly, the leaked data include the clients’ name, cellphone number, company and address, and credit rating information in some cases. Substantial compensations for the victims are not likely in the foreseeable future. Although leaks of personal data at various scales have occurred in credit card companies since 2010, it seems no credit card company is willing to make a direct compensation for damaged clients.

The financial authorities are also responsible for the repetitive leaks of personal data. Poor response and soft punishment have encouraged financial firms to be complacent about their security systems. The current law has provisions to punish financial firms and reprimand their employees that are responsible for leaks. However, due to lose follow-up measures, financial firms have not recognized the need to strengthen their security management.

Financial firms that cause a massive leak of client data have to be held responsible and severely reprimanded. This way, their awareness of security will be improved and substantial investment can be made in security systems. Firms will have to change their way to manage security systems to prevent recurrences. In addition, the information security management of all financial firms needs to be inspected.

As for the employees of outsourcing companies, measures including physical and logical control of access to critical financial information, proper authorization of developers, strict division of development security and operation security, security measures such as the encryption of clients’ major financial information and tighter inspection and post-monitoring of major personal data processing should be taken urgently.

Since digital data can be easily copied and disseminated, a real-time monitoring system should be built to prevent the illegal distribution of leaked data. The “Personal Data Guidelines in the Finance Industry” announced in August last year clearly states the trustee’s responsibility for data management and supervision. The financial authorities should assure that these regulations are abode by in the field.

Security inspection by the financial authorities should be revised and become more proactive. Also, all financial firms over a certain size should be regulated to have a certification on their information protection management system. Credit card companies whose security system is breached should alert their clients to the possibility of secondary damages such as voice phishing and financial frauds, in order to ease clients’ concerns and help them properly respond. And they are also required to compensate victims for the losses because the leaks are caused by their poor security management.