According to a report by Nikkei BP [1], a huge amount of personal information has been leaked again in South Korea. This has happened many times before, but this time even financial credit ratings have been leaked.
When we talk about the leaking of personal information or card information, it tends to be more of a security issue, such as it being used in bank transfer scams or cards being misused. However, this time even financial credit ratings were leaked, so it can be said that this is an incident that goes beyond a simple leak of personal information and goes closer to the inner workings of people, with a greater impact on privacy.
As for how the information was leaked, it was not an external hack, but rather an employee of a security company in charge of building a fraud detection system used by the three credit card companies who stole customers' personal information over a period of more than a year between October 3 and December 2012, and sold it to a list broker. The selling price is said to be 10 million won (approximately 2013 million yen) per million people. The list brokers resell these, which apparently cost around 12 won (approximately 1 yen) per person for a set that includes name, resident registration number, credit card number, expiration date, and PIN. It seems they are easy to buy.
The method of the theft
The method of the theft was simple. The employee pretended to be a system developer, accessed a database of customers' personal information, copied the information onto his own USB memory stick, and took it away. This raises several problems.
Violation of Data Minimization principle
The employee's task was to "build" an unauthorized use detection system. Therefore, there was no need for him to have access to the personal database. In this case, none of the three companies had an access control system with this in mind. This means that the fourth principle of ISO/IEC 29100, "Data Minimization," was not followed.
There are several ways to deal with this. First, there is the issue of why developers are accessing the production environment. If developers, deployers, and operators are not separated, it becomes difficult to control.
Next, there is the access control mentioned above. There are two types of access control. The first is basic identity and access management (IAM), which manages the identity of the person accessing the system and restricts access based on a policy. This incident could have been prevented if only this had been in place.
Next, data encryption. This is not directly related to the issue at hand, but it is necessary to prevent backup operators and others from touching plaintext data. To do this, at the very least, data for backups must be encrypted.
It is also a problem that it is possible to write to the USB, but in reality, all that would have been needed is for the above controls to work, so the high price is probably secondary.
Monitoring is not effective
In this case, the unauthorized access to data continued for a year. However, none of the companies were able to detect it during that time. This means that monitoring was not effective. However, in this case, they were just trying to build a system to detect unauthorized use, so there may be some aspects that can't be helped.
Lack of human resource security
A.27001 of Annex A of ISO/IEC 7 presents requirements for human resource security. In particular, in this case, it seems that A.7.2.3 Disciplinary process was not functioning well. If you do something like this, you will eventually be found out. At that point, you will be punished, but if the expected value of that punishment is lower than the expected value of the profit of the crime, it will be more profitable to commit a crime, so it is bound to happen. There are criminal and civil penalties, but I don't know what the level was set in this article. However, in any case, it seems that the profit of crime was considered to be higher. It would be interesting to know what the wages and employment contracts were like.
Incidentally, one of the reasons why banks offer preferential treatment to employees is to make the expected lifetime wage loss from firing greater than the expected gains from crime. It seems likely that systems engineers will take this into consideration as well.
Another possibility is that the attacker intended to commit a crime from the beginning. In this case, A.27001 of ISO/IEC 7.1 is also not effective.
The Next Development
According to the article, several things are being done in response to this incident.
Financial Services Commission formulates "Measures to prevent recurrence of financial company customer information leaks"
- Financial institutions that leak personal information will be subject to a maximum fine of 50 billion won (approximately 4 million yen) and a maximum suspension of business for three months.
- Financial institutions that use illegally leaked personal information for business purposes will be subject to a punitive fine of 1% of their sales.
- Sharing of customer personal information among affiliated companies is also restricted.
Financial Supervisory Service: "Measures to block illegal distribution and use of personal information"
- Financial authorities (Financial Supervisory Service and Financial Services Commission), prosecutors and police will jointly carry out an intensive crackdown on list brokers for an indefinite period.
- Brokers who are arrested will be sentenced to imprisonment of up to five years or a fine of up to 5 million won (approximately 5000 million yen).
- The Financial Supervisory Service is considering setting up a center for reporting illegal personal information distribution and offering a reward of up to 1000 million won (approximately US$98) to those who buy and sell illegally obtained personal information or who report the transaction site and cooperate with the investigation.
It is unclear how much of a practical impact this will have. We will have to keep an eye on how things develop.
[1] http://business.nikkeibp.co.jp/article/world/20140128/258929/?P=1