[The Editors' Verdict] "After My Daughter's Tears, That Stranger"... The Monster Created by LG Uplus Data Breach

"There is someone else in the room... in my room... a stranger, a Korean."

The voice of the seventeen-year-old daughter was trembling with fear and sobbing. After a brief moment of crying, when the mother repeatedly asked, a strange man's voice was heard over the receiver. He demanded dollars. He told her not to hang up and to move to OO Station.

Cold sweat flowed, and her legs gave out. She held onto her sanity. Just a few hours ago, she had checked on her daughter who had left the country yesterday to attend a language camp... The international call's caller ID clearly showed her daughter's number. There was no doubt.

Whether it was bad luck or good luck, the call ended within five minutes. During that time, she was able to contact the study abroad agency staff accompanying her daughter. The local time was midnight. The daughter was safe.

In about ten minutes, she went through hell and heaven. Although she confirmed her daughter's safety, the mother’s body was still trembling. Mrs. A only learned about the LG Uplus customer personal information leak incident after confirming her daughter's safety. To prevent secondary damage, she checked and found a notice confirming that her personal information had been leaked.

Mrs. A was a victim of voice phishing on the afternoon of the 11th. Customer number, name, address, encrypted resident registration number, encrypted password, service product name, even date of birth, phone number, web ID, and email address were leaked, but she received no contact from LG Uplus.

If the fundamental problem was LG Uplus’s negligence in protecting personal information, the second mistake was not actively informing customers about it. Mrs. A only realized that all her information had been stolen after searching news articles and checking whether her customer information had been leaked following the chaos.

LG Uplus announced the customer information leak on its website on the afternoon of the previous day (the 10th). Before and after the website notice, they did not separately notify customers who suffered personal information leaks via text messages or personal emails. The media explanation and reality were different. If she had received prior notice that all her personal information had been leaked, Mrs. A could have suspected voice phishing the moment she received the call from the "stranger."

The delayed notice was the third mistake. LG Uplus announced the leak to the public eight days after being notified of the information leak by the Korea Internet & Security Agency.

On the day she went to replace the hacked USIM chip, the LG Uplus agency recommended device replacement to the flustered Mrs. A. LG Uplus explained, "Most voice phishing victims change their devices." They did not inform her that if she kept using her existing phone for a few more days, no penalty fees would be incurred. They lured customers who suffered from their personal information leak to sell devices.

LG Uplus also failed to properly implement emergency measures after the damage occurred. Personal information of 180,000 customers was leaked, and even on the day they "humbly apologized," LG Uplus 114 call center agents were only available during business hours. The Customer Information Protection Center staff were only reachable until 9 p.m.

Even if personal information is leaked, even if customers who are victims are not properly informed, and even if they sell phones again to anxious customers to fill their pockets, as long as these incidents are settled with just an apology and a few million won in fines, such incidents will continue to repeat.

Kim Minjin, Content Manager, Economic and Financial Investigation Team

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.