Data breach incidents

In Korea, small or big data breach (개인정보침해/個人情報侵害) is a part of daily life as a matter of fact. The resident registration numbers of ordinary Korean citizens could be easily collected on the Internet. Data protection (개인정보보호/個人情報保護) is occasionally at risk in Korea.

As the massive scale data leakage incidents (대규모 개인정보유출사고/大規模 個人情報流出事故) take place more often than not, the below-mentioned Auction case is not the first one. It's because small on-line shopping malls pay little attention to the protection of customers' personal information while big businesses are sometimes lacking in efficient data control system or effective education of employees.

The situation will change as the new Personal Information Protection Act came into force on September 30, 2011. Data breach notification has become mandatory. In some cases, data breach incidents may escalate to the level jeopardizing Cybersecurity or even the Cyberwarfare.

Key words
data breach notification, data leakage, incident, Auction case, compliance

Massive scale data breach incidents
For the past few years, large scale collective suits have been filed with the court against big corporations and banks in charge.


 * [Oct. 2005] Lineage gamers' data were stolen
 * 8,500 gamers whose IDs were stolen by other users filed suit against NC Soft, and succeeded in the first instance.


 * [Apr. 2006] Details of Kookmin Bank customers were accidently leaked
 * When Kookmin Bank sent a promotional e-mail to its customers, other depositors' personal information was accidently attached. More than 1,000 customers claimed damages totalling three billion won against Kookmin Bank successfully in the first instance.


 * [Oct. 2007] SK Broadband (formerly Hanaro Telecom) customers' data were sold
 * Hanaro Telecom sold details of seven million customers to several telemarketers for profit. 3,000 customers claimed damages against its successor, SK Broadband. The court proceedings are still going on.


 * [Jan. 2008] Details of Auction users were stolen by an unidentified hacker.
 * An overseas hacker snatched 18 million customers of Auction, 145,000 victims of whom filed suit against the e-marketplace operator only to fail in the first instance.


 * [Jul. 2008] GS Caltex customers' data were leaked
 * GS Caltex operated customers service centers nationwide based on the databases of personal data of GS Bonus card members who regularly used GS gas station networks. GS Caltex entrusted the operation of GS customers service centers to its subsidiary, GS Nextation. In July 2008, several employees of GS Nextation conspired each other to steal massive personal data of GS Bonus Card members including names, resident registration numbers, addresses, telephone numbers, email addresses. They put those data into storages such as CD Roms and DVDs, and planned to sell the storages by showing them to journalists for the expected lawsuits filed by card members for damages.
 * In September 2008, the journalists reported shocking news that 11 million GS Caltex customers' data CD Roms were found from a trash can in downtown Seoul. In a few days, all the data snatchers were arrested by police, and other CD Roms and DVDs were wholly withdrawn by police with no customers data explicitly leaked.


 * [Jul. 2011] Over 35 million SKC members’ privacy was at risk
 * Almost all members of Nate and Cyworld were notified by SK Communications, operator of popular social networking services of data breach. Their ID, password, name, resident registration numbers were snatched away by unidentified hackers. The number of customers whose data was leaked was so enormous that they could not initially find any judge, not affected by the incident, for the purpose of fair court proceedings. In November 2012, the Seoul Central District Court ruled against 2847 plaintiffs, the alleged victims of the incident because:
 * - Eastsoft's AlZip software used by SK Comms personnel is not believed to cause such hacking incident;
 * - SK Comms has employed properly the technical and managerial safety measures;
 * - the hackers seemed to have employed undectable methods at that time;
 * - Eastsoft which has nothing to do with data collection cannot be held liable for the case;
 * - The Korean Communications Commission is not responsible for preventing highly advanced and sophisticated hacking in advance.


 * [Sep. 2011] Frequent data leakage of credit card companies was conducted by insiders
 * A series of data leakages at Samsung Card, Hana-SK Card, etc. were reportedly conducted by its employees who tried to sell the personal information to call center operators. The Financial Supervisory Service ordered financial companies to increase the budget for data security.


 * [Nov. 2011] Over 13 million Maple Story game users' personal information was stolen
 * After the entry into force of the new Personal Information Protection Act which has expanded the scope of application to offline data processors and reinforced the degree of penalty, the first large scale data leakage took place in November 2011. Coincidently, it occurred at one of the biggest on-line game sites, Nexon Maple Story, where 13,220 thousand gamers’ IDs and passwords were stolen by an unidentified hacker. To make matters worse, Nexon just before the long-awaited initial public offering in Tokyo did not take measures in such a manner as mandated by the new Act. Nexon notified the authorities concerned of the incident one day later, not immediately, i.e., six day after the incident occurred. Nexon insisted that the data of users' ID numbers and account numbers had been properly encrypted.


 * [Jul. 2012] Personal data of 8.7 million of KT subscribers had been hacked for five months
 * On July 29, 2012, the National Police Agency said that a mobile phone dealer was arrested on account of developing a hacking program with his co-worker and stealing the personal data of KT subscribers in small amounts beginning February 2012. The stolen information included customer names, mobile phone numbers, resident registration numbers, handset, information the date of service registration, the type of monthly payment plan, the user’s total payment fees and the handset switch date, according to the police agency. With the obtained data, they were able to sort out which customers were most likely to change their mobile phones with the information already in possession, concentrating on that particular group in their marketing.
 * KT, the country’s second-largest mobile carrier, announced an apology same day, stating that the personal information of 8.7 million of its subscribers had been hacked, but did not explain how and why the hacking had been going on for about five months with KT unaware of such massive data leakage.


 * [Dec. 2013] Two foreign banks and 16 financial companies reported massive data leaks
 * In early December, the Changwon District Prosecutors’ Office announced there were leaks of customer information from Citibank and Standard Chartered Bank. About 137,000 pieces of information from these foreign anks were sold to companies marketing loans.
 * The financial regulator requested 16 financial companies with a risk of information leaks to conduct internal inspections in late December. The inspections found that about 1.27 million pieces of information were illegally leaked, affecting about 650,000 victims - 240,000 from regular commercial banks, 2,000 from savings banks and 110,000 from loan companies.


 * [Jan. 2014] Unprecedented credit card data breaches panicked the whole nation
 * The Changwon District Prosecutors’ Office disclosed that an employee of KCB, an independent credit bureau, who had been dispatched to upgrade the security systems of client card companies, illegally stole 104 million pieces of cardholders’ personal and financial information, and sold a part of them to people marketing bank loans. The personal credit information seller and buyers were indicted by the public prosecutor on January 8, 2014.
 * However, an ordinary data breach case was getting much worse than initially thought. As the inspection of the Financial Supervisory Service (FSS) went on, the scope of personal data leaked from the three credit card companies - KB Kookmin Card, Lotte Card and NH Card, snowballed to an unexpected scale. Many of the country’s major financial institutions were affected by the leaks, too.

Analysis of data breach cases
As seen above, there are three types of data breach: personal information was leaked negligently or stolen intentionally by employees (referring to the cases of Kookmin Bank, SK Broadband and GS Caltex); leaked by outsiders* (referring to the Auction case); or both incidents are mixed by inefficient technical safeguards and lack of caution dealing with customers' data (referring to the Lineage case).

Most of the above cases became worse since the businesses in question, with one exception of Auction, dealt with the data breach incidents ineffectively or awkwardly.

In this context, compliance matters conforming to a rule, policy or law in respect of the protection of personal data or consumers in general become pivotal in corporate affairs. An Internet service provider(ISP) or company is required to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.

Sometimes, compliance is enhanced to the level of social ethics. In Korea, the International Monetary Fund demanded the Korean government to adopt the regulatory compliance in a package of rescue plan to survive the banking and financial crisis in 1997.

However, no one has been proved responsible for the personal data leakage up to 95,800 thousand items. Once the resident registration number or mobile phone number is obtained by a swindler, it could possibly led to collateral damage caused by voice phishing or game item theft. A considerable number of victims filed lawsuits against a certain Internet service provider only to fail because they could not convince the court with appropriate evidence that such damage was caused by a specific incident. It is difficult to identify the personal data misuse has been caused by 2011 Nate hacking other than 2012 KT hacking.

In April 2012, however, the Gumi Branch of Daegu District Court ordered the payment of one million won to SK Comms on account of the Defendent's failure to pay damages out of mental distress of a data leakage victim. But the Defendent appealed accordingly.

The Auction case
See the court rulings of the first instance and the appellate court.

Regarding the arguments what kind of data breach amounts to damage to be compensated for mental distress, see the GS Caltex case.