It is time to raise the awareness of personal information security

 
 
On February 8th, the presidents of the three credit card companies, KB Kookmin, Nonghyup, and Lotte, apologized for the personal information leakage incident.             
   
 
While South Korea is one of the most alert nations in the world, it can become sluggish when it comes to protecting personal information. In spite of the continuous series of devastating data spill accident at public and private organizations, security consciousness still remains woefully low among corporations, regulators and even citizens. In fact, the recent incident of the mass leakage of personal information, involving the three credit card companies-KB Kookmin, Nonghyup and Lotte-clearly shows how serious the problem is. It was the biggest leak of personal information in history since more than 100 million personal details of some 20 million people were exposed. The leaked data included not only basic personal information such as addresses but also mobile phone numbers and resident registration numbers. Additionally, they included sensitive financial details, such as credit card numbers, expiry dates, bank account numbers and annual income.

The interesting fact is that while previous catastrophes were caused mostly by hacking attacks, the latest one was brought about by an insider. The culprit was an employee of Korea Credit Bureau (KCB), a personal credit ratings firm where it manages a program to prevent deceptive use of credit cards for three corporations. The KCB employees illegally copied enormous amount of credit card user data onto a USB memory stick. Then he sold it to a broker, who in turn sold it to telemarketers of financial products and services.

The criminal was able to access the vast amount of data easily, because the card companies had left it unencoded, which is a violation of the Personal Information Protection Act. Besides, the companies did not strictly manage the use of portable storage devices (USB) on the corporate building, allowing the KCB officer to bring his own personal USB memory stick in and out without any sanctions. All this means that recent data spill incident could have been prevented if the card companies had complied with basic security procedures. Also, they did not even bother to follow the rules because they did not take security threats seriously.

Even after a huge leakage incident, majority of corporations fail to recognize that information security is essential. To them, personal data protection is simply expenditure rather than an investment for improvement not only in terms of financial aspect but also credibility from consumers. Moreover, the light punishments of the 15 information leak incidents since 2008, has played a major role in encouraging corporate to neglect importance of security system. Last year, the Personal Information Protection Act was toughened. Under it, private or public companies that are found to have left personal information not encoded are subject to fine up to 30 million won. However, the regulations applied to financial companies are much softer since the maximum fine for companies that leak personal information is merely six million won. After the recent credit card devastation, the financial regulator announced it would raise the fine up to five billion won but have not applied the penalties yet. In addition, security regulations for financial companies need to be further toughened, considering that the financial industry is especially vulnerable to data theft. Finance is an information business and financial companies are becoming ever more dependent on information technology as clients demand more convenient services and quicker transaction. thus, as information technology is changing constantly, it is undeniable that the risks of cyber attacks on financial companies will rise higher. This poses there should be a systematic solution that can solve underlying causes of massive personal data leak. Also South Korea should follow the good precedents of other developed countries such as the U.S. and Germany.

Before delving into the America’s and Germany’s prevention and management methods of personal information spill, it is important to know that the underlying causes of this massive personal data leak in South Korea which are social structures to ignore significance of data protection and the resident registration system. Giving personal data to financial institutions and public institutions is reasonable when people need to get a bank loan or open bank accounts; however, in South Korea, when people sign up for internet blog, online shopping malls, and many other websites, they are asked to offer their personally identifiable information. As a matter of fact, most online, offline stores have been asking for personally identifiable information in exchange for membership. Furthermore, resident registration system collects personal information, such as sex, age, birthplace and a unique resident registration number given to each individual, which can never be changed.

However, in the States, they do not have resident registration system. Instead, they have Social Security Number, which is highly protected by the government and illegal for any other offline and online stores to ask for. If any stores that force customers to fill in their Social Security Number, then they will be forbidden to operate business. Also, in Germany, citizens do not pose resident registration number because they get numbers from the government organizations at the specified field such as medical care and annuity insurance.

So what actions should South Korea take in order to prevent personal information leakage? First, the government needs to regulate and limit the collection of personal details. Companies in South Korea are overly keen to collect customer information. Even delivery or cosmetic companies reportedly collect resident registration numbers from clients. The law on safeguarding personal information should be changed and collect minimum details that are necessary to achieve their business purposes. Citizens, too, should enhance their security awareness. The corporate practice of collecting customer details will not fade away unless consumers start to insist their rights to privacy. According to Lee Jae-youn, a senior researcher at the Korea Institute of Finance, “The nation’s information security system needs a repair. In South Korea, resident registration numbers are linked to so much other data. The country needs other types of systems where each needed information is not linked to the other.” Thus, the current system should be reformed since resident registration numbers can cause identity theft and other types of fraud.

As for the personal information leakage, it will most certainly take quite a while to come up with a feasible solution. No matter how much corporations are compensating to their customers, it will never be enough, as preventing data leakage is more important. Overall solution needs to be heightened in order to raise personal information security awareness among companies, regulators and citizens. These three parties need to reformed so that South Korea could one day become a  good example to other nations.

저작권자 © 대학미디어센터 무단전재 및 재배포 금지