On January 7th, the Bitcoin price is displayed on the Bithumb Gangnam Customer Center market status board in Seoul. Photo by Moon Honam munonam@
[Asia Economy, reporter Kim Daehyun] The Seoul Central District Court has ruled that Bithumb Korea, the operator of the domestic virtual asset exchange 'Bithumb,' must partially compensate users who suffered losses due to a hacking incident in 2017.
According to the court on the 25th, the Civil Division 30 of the Seoul Central District Court (Presiding Judge Jung Chanwoo) ruled in the first trial of a damages lawsuit worth 200 million won filed by approximately 130 plaintiffs, including an individual identified as A, against Bithumb Korea and former chairman Lee Jeonghoon. The court ordered the defendants to jointly pay a total of about 177.41 million won to 118 of the plaintiffs.
Previously, on April 28, 2017, Bithumb suffered a 'first hacking attack' during an employee recruitment period, which is related to this lawsuit. The hacker sent a Hangul file disguised as a resume, named 'Resume.hwp,' via email to Chairman Lee. This file contained malicious software capable of file browsing, uploading and downloading, and information collection.
Chairman Lee, who kept a file on his personal computer containing 31,506 records of cryptocurrency transaction information such as members' names, emails, phone numbers, and trading volumes, executed the file sent by the hacker. As a result, the file containing member information was leaked to the hacker.
A 'second hacking attack' also occurred between April and June 2017. The hacker succeeded in accessing 4,981 accounts by repeatedly combining and entering IDs and passwords.
It was found that Bithumb received 92 reports of hacking damages from members between May and October 2017, but regarded these incidents as being caused by user negligence and, aside from strengthening authentication procedures, did not implement further countermeasures.
On June 29, 2017, Bithumb received a threatening email stating, "If you do not give 10% of the Bitcoin you hold, we will leak all member information to the media." The following day, Bithumb posted a notice on its website stating, "An incident suspected of a leak of personal information has occurred. Members' KRW and cryptocurrency deposits are being safely stored."
Individuals such as A filed a civil lawsuit demanding compensation for damages, including the theft of virtual assets resulting from the hacking. The court acknowledged Bithumb's negligence regarding both the first and second hacking incidents, but recognized causality for damages only in relation to the second hacking attack.
This is because there was no evidence to prove that the hacker from the first attack, in which passwords were not leaked, was the same as the hacker from the second attack. The court also determined that the second attack may have been attempted using email addresses and phone numbers collected through other means.
Regarding the first hacking attack, the court pointed out, "Bithumb Korea violated its statutory obligations under the information service use contract or the Information and Communications Network Act to protect stored personal information. Chairman Lee could have foreseen the risk of personal information leakage, yet conducted business involving files containing large amounts of personal data on a personal computer with a low security level, thereby negligently facilitating the hacking."
However, the court ruled, "Based solely on the plaintiffs' evidence, it is difficult to recognize causality between the defendants' illegal acts and the plaintiffs' damages."The main security measure for member accounts is the password, not the email address or phone number. Therefore, causality cannot be recognized between the file leak and the theft of virtual assets based only on hypothetical likelihood.
For the second hacking incident, the court recognized the causal relationship with the theft of virtual assets. The court stated, "Bithumb Korea had ample opportunity to respond, having received numerous reports at the time, but did not operate a security system at a reasonably expected level. It appears that, without a dedicated organization for system security, the company delegated this responsibility to the development team or outsourced personnel, and routinely concluded that reported hacking incidents were caused by user negligence, as was the case in the first hacking incident, based on the defendants' judgment."
Meanwhile, in December 2017, the Korea Communications Commission imposed a corrective order, a fine of 43.5 million won, and a penalty surcharge of 13.5 million won on Bithumb. In addition, Bithumb Korea and former chairman Lee were prosecuted for violating the Information and Communications Network Act, and each was fined 30 million won in the first trial.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
