Korea Credit Bureau card-data theft
A contractor at the Korea Credit Bureau copied the card and identity data of about 20 million customers of KB Kookmin, Lotte and NH Nonghyup card firms onto a USB drive and sold it — one of the largest financial-data thefts in South Korean history.
- Victim
- Korea Credit Bureau (KCB) / KB Kookmin, Lotte, NH Nonghyup card units
- records
- 20.0M
- users
- 20.0M
In January 2014, South Korea was rocked by one of the largest financial-data thefts in its history: a contractor at the Korea Credit Bureau (KCB) had stolen the card and identity data of roughly 20 million customers — equivalent to around 40% of the population — and sold it to marketers.
What happened
The KCB is a personal-credit-ratings firm that develops anti-fraud systems for South Korean card issuers. A consultant dispatched by the KCB worked on-site at three major card companies — KB Kookmin Card, Lotte Card and NH Nonghyup Card — where he had legitimate access to their customer databases.
Over roughly 18 months, he secretly copied vast volumes of customer records onto a USB external drive and walked them out of the building. The breach was possible largely because the sensitive data was not encrypted, leaving it readable to anyone with database access. He then sold the data to phone-marketing companies and loan brokers, whose managers were also arrested.
What was stolen
The stolen records included customers' names, resident-registration (national ID) numbers, phone numbers, home addresses, credit-card numbers and expiration dates. The combination of national ID numbers and full card details made the data acutely dangerous for identity theft and financial fraud.
Impact and aftermath
- About 20 million card customers were affected — a staggering share of South Korea's roughly 50 million people.
- Public anger was intense. The heads of the three card units publicly apologised and offered to resign.
- In February 2014, the Financial Services Commission suspended the three card firms from issuing new cards or signing up new customers for three months, and imposed fines.
- Millions of customers demanded card reissues, and the episode triggered a national debate over the pervasive use of resident-registration numbers.
Why it matters
The KCB theft is the canonical South Korean insider-threat and data-minimisation case. It exposed how trusted third-party contractors with broad database access — combined with unencrypted storage and weak removable-media controls — can cause nationwide harm without any external "hack." It drove reforms limiting the collection and use of resident-registration numbers, mandated stronger encryption of financial data, and tightened oversight of outsourced IT staff across Korea's financial sector.
Timeline
A consultant from the Korea Credit Bureau, embedded at the card firms, secretly copies customer data to an external drive over roughly 18 months.
Prosecutors announce the arrest of the KCB contractor for stealing the personal data of about 20 million card customers.
KB Kookmin, Lotte and NH Nonghyup card chiefs publicly apologise and offer to resign as the scale becomes clear.
Financial regulators suspend the three card firms from issuing new cards and taking new customers for three months.
Regulators fine the firms and order remediation; millions of South Koreans request card reissues.
Sources
- thehackernews.comhttps://thehackernews.com/2014/01/bank-data-and-credit-card-details-of-20.html
- scmp.comhttps://www.scmp.com/news/asia/article/1409314/20-million-south-korean-bank-card-users-fall-victim-personal-data-leak
- securityweek.comhttps://www.securityweek.com/south-korean-credit-card-firms-punished-data-leak/
- money.cnn.comhttps://money.cnn.com/2014/01/21/technology/korea-data-hack/index.html