What Happened
On the 6th of March, 2014, the homepage of KT (Korea Telecom) was hacked. Out of 16 million KT clients, 12 million clients had their identities stolen. Some of the stolen information included names, social security numbers, email addresses, credit card numbers, bank account numbers. This incident affected one fifth of South Korea's population. [1]
How It Happened
The breach was the work of a group of professional hackers who used the following method.
Image source: http://news.naver.com/main/read.nhn?mode=LS2D&mid=shm&sid1=105&sid2=732&oid=001&aid=0006793744
The diagram above shows the identity theft occurred (note numbers in the black circles):
- Using a program called 'Parosproxy', the hackers collected client information by arbitrarily submitting nine-digit numbers to the financial services program provided by the homepage. When the entered number corresponded to the actual security code of a client, the hackers obtained the client's private information by intercepting the transmitted data packet and translating its content.
- The hackers obtained private information of 12 million people for a year.
- The hackers conducted business with the theft victims.
- The hackers sold the stolen private information 5 million times to three cell phone stores.
- The hackers made a profit of approximately 11.5 billion Won.
Ultimately, the lack of monitoring and concrete security protocols led to the disastrous consequence. Due to the simplistic and repetitive nature of the hacking method, the breach could have been prevented if KT detected the repetition of input. However, KT was unable to do so as their services program was not able to . [1][2]
Current Developments
Although KT has issued an official apology, there have been no specific remarks concerning any systematic improvement, damage control, or compensation. [1] Public reaction has been negative as there already had been another case of major security breach in 2012 with 8 million identities stolen. [3]
The theft notification service provided by KT has been criticized for demanding a wide range of private information (such as gender and nationality) and signatures for four terms of agreement. [1]
On the 18th of March, 2014, the media reported that the South Korean government ordered KT to pay a fine of one hundred million Won. [4] Although the government's decision was based on the legal grounds that the law orders a fine equivalent to 1% of the annual sale for unintentional information leakage [4], this decision resulted in public outrage as it was considered to be insignificant compared to the amount of damage caused by the theft. KT also stated that compensations will be given as ordered by the government. [5]
The theft notification service provided by KT has been criticized for demanding a wide range of private information (such as gender and nationality) and signatures for four terms of agreement. [1]
On the 18th of March, 2014, the media reported that the South Korean government ordered KT to pay a fine of one hundred million Won. [4] Although the government's decision was based on the legal grounds that the law orders a fine equivalent to 1% of the annual sale for unintentional information leakage [4], this decision resulted in public outrage as it was considered to be insignificant compared to the amount of damage caused by the theft. KT also stated that compensations will be given as ordered by the government. [5]
Sources
- http://news.danawa.com/News_List_View.php?nBoardSeq=60&nSeq=2584803
- http://news.naver.com/main/read.nhn?mode=LSD&mid=shm&sid1=105&oid=014&aid=0003124463
- http://news.naver.com/main/ranking/read.nhn?mid=etc&sid1=111&ranking&oid=018&aid=0002635493&date=20120729&&rankingSeq=1&rankingSectionId=105
- http://news.kukinews.com/article/view.asp?page=1&gCode=kmi&arcid=0008144217&cp=nv
- http://news.sportsseoul.com/read/economy/1335515.htm