Unending Personal Data Leaks... Could Become a 'Crime Gateway' Boomerang

[Asia Economy Reporters Seungyun Song, Jeongyun Lee] Alongside the illegal trading of databases (DB) containing personal information, incidents of personal data leaks continue unabated. Once personal information is leaked, it is difficult to reverse the damage, and the biggest problem is that it is hard to determine how much data has been leaked and where it has flowed. Leaked personal information is often combined with other data to be reproduced and traded.

Cryptocurrency exchange Bithumb was hacked in 2017 due to poor management, resulting in the theft of about 31,000 customer personal information records and cryptocurrency worth over 7 billion KRW held by 243 customers. In the same year, Hana Tour was also attacked by hackers, leading to the leakage of personal information of about 460,000 customers, including passport numbers. Last year, Megastudy experienced a hacking incident that leaked personal information of 5.7 million members. To prevent such incidents, a "punitive damages system" for customer information leaks was introduced in 2014, but it has been pointed out that proving damages is difficult and the fines imposed are relatively light.

Bithumb was fined 30 million KRW by the court for the hacking incident and received a fine of 43.5 million KRW and a penalty of 15 million KRW from the Korea Communications Commission. Hana Tour, in the appellate court, was fined 10 million KRW each for the corporation and the head of the headquarters, and received a fine of 327.25 million KRW and a penalty of 18 million KRW from the Korea Communications Commission. Megastudy was fined 954 million KRW by the Korea Communications Commission.

According to the "Personal Information Leakage Status" analyzed by Assemblyman Park Gwang-on of the National Assembly's Political Affairs Committee, from 2016 to September 2020, a total of 376 incidents involving 64.14 million personal information records were leaked across public, private, and online sectors. However, for 253 confirmed administrative actions involving 50.87 million records, fines and penalties totaled 13.1362 billion KRW, averaging only 258 KRW per case. According to the office of Kim Byung-wook of the Democratic Party, also a member of the Political Affairs Committee, as of the end of August this year, only 11,813 cases had subscribed to liability insurance for damages related to personal information leaks, which is negligible compared to the scale of leaks. The police, Korea Communications Commission, and Korea Internet & Security Agency continue to crack down on illegal acquisition, trading, and distribution of personal information, but eradication remains difficult.

Professor Jang Hang-bae of the Department of Industrial Security at Chung-Ang University said, "Companies prioritize sales and profits, so security is often considered secondary, and they do not find justification for investment until an incident occurs. It is desirable to provide overall support mainly to small and medium-sized enterprises that lack established systems, while creating evaluation indicators and imposing heavy penalties such as fines if standards are not met." Professor Kwon Heon-young of Korea University's Graduate School of Information Security emphasized, "The biggest problem with personal information leaks and trading is that they are often used for crimes such as voice phishing, but related investigations tend to be insufficient. To eradicate illegal activities, cooperation among administrative departments, prosecutors, police, and other criminal justice agencies is crucial, and there must be a strong will to eliminate these crimes."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.