Senior executives at South Korean banks and credit card firms have resigned following a breach which may affect up to 20 million people.
In this case, an employee from personal credit ratings firm Korea Credit Bureau (KCB) was arrested and accused of stealing data from the customers of three credit card firms while working for them as a temporary consultant.
According to the South China Morning Post, the stolen data included customer names, social security numbers, phone numbers, credit card numbers and expiry dates. The information was taken from the internal servers of KB Kookmin Card, Lotte Card and NH Nonghyup Card and was sold to phone marketing companies, whose managers were also arrested earlier this month.
Now the Yonhap news agency has reported that some senior executives tendered their resignations as a result of the breach, and came after the country’s financial regulator warned of stern punitive measures against financial institutions and their chiefs if the latest leak turned out to be a result of their management failure.
The management of KB Financial offered their resignation en masse to take responsibility for the incident, while the chief of Nonghyup’s credit card business division also tendered his resignation.
Gov. Choi Soo-hyun of the FSS was quoted as saying in a meeting with his staff: “We will hold them fully responsible for the data leak if their sharing of client data among affiliates and lax internal control turn out to be the cause.”
Yonhap also reported that there had been more than 150,000 applications received for the three card firms as of midday today, after some cardholders reported a series of unauthorised credit card charges and claimed that they are from the data leak.
Matt Middleton-Leal, regional director for UK & Ireland at CyberArk, said: “The sheer scale of this data breach is extremely alarming, with as many as 20 million people affected by the alleged incident.
“In the case of the alleged breach in South Korea, the fact that the individual was reportedly able to access and then sell on vast quantities of customer information is very worrying. It should not be the case that an employee – and in this case a temporary consultant – is able to access and then download sensitive data without this suspicious activity being flagged up. It is essential for organisations to have a system in place that is capable of managing, monitoring and controlling all privileged access and activity, with the option to terminate a malicious session if necessary.
“While it would seem that this case is a classic example of the ‘insider threat’ – that is, the malicious abuse of privileged access – the threat from within can also include the accidental misuse of privileged access, or the abuse of these accounts by cyber attackers, who immediately seek out these credentials once inside a corporate network in order to steal information or imbed malware in a system.”