It was recently announced that Korean hackers had breached Korea Telecom (KT) and sold personal information on 8.7 million individuals to telemarketers for nearly $900,000 (1 billion KRW). Both the two hackers, as well as seven telemarketers have been arrested and charged with crimes. But soon Korea Telecom may find themselves in court under a new Korean law.
The KT breach may have taken 7 months to execute, though it is not clear whether this indicates how long the attackers had access to KT networks. The breach was said to have been detected by internal security systems in mid-July. In a statement by Korea Telecom, they say that the information has been “returned” and that there should be no further damage; however the Korean Telecom Commission has said that they can’t be 100% certain of that. KT has not said whether the information leaked includes financial information such as credit card numbers or bank accounts, but given the extensive list of items that were leaked it is likely that this information was at least accessible to the attackers. The information the company admits was leaked includes the following.
Mobile device model
Date of registration
Date of mobile device model change
Total monthly payment
The attackers, as well as buyers of the illegal information have been arrested. Based on early reports it appears that the attackers had help from an insider to bypass security systems and gain information on Korea Telecom’s internal systems. The attackers are reported to have claimed they attacked KT because KT has the highest profits, though it’s not clear whether there was a political motivation as well as financial for the attacks.
Korea has experienced many high profile breaches over the last 5 years. Most Koreans have likely been affected by many of these personal information compromises. All told, the number of records breached exceed the number of citizens of the country by a wide margin. What’s unclear is whether the actual number and severity of breaches has increased or whether they’ve gotten more attention. But the rate of breaches seems to have increased. Here is a brief list of several high profile breaches since 2008:
Legal remedies for individuals harmed have been tough to come by. A court case against Auction Korea, for example, was unsuccessful because judge decided that the plaintiffs had failed to demonstrate causality. That is, they couldn’t show that the defendant had caused the breach, nor could they show that poor security was chiefly responsible for it. Therefore Auction Korea was not deemed liable for the associated damages. At the time it was not possible to sue for negligence under Korean law.
The Korea Telecom breach is the first one since the Personal Information Protection Act (PIPA) came into effect in 2012 in Korea. (Note that this is not related to the US Protect IP Act.) The Korean PIPA law is described as a “comprehensive personal data protection law,” which restricts collection of personal information and specifies handling precautions must be in place to prevent breaches. And in a reversal of the provision that has prevented successful legal actions, PIPA allows the plaintiffs to sue for negligence. This tactic puts the burden of proof on the company that suffered the breach to demonstrate that their measures were compliant with PIPA.
If a case is brought against Korea Telecom under PIPA, the result will set a precedent in the Korean legal system. But that case may not be hard to prove. A Korean lawyer is quoted as saying “As the results of the investigation haven’t been announced, it is hard to make a provisional conclusion. But that fact that the criminals who leaked KT personal information prepared their hacking program for 7 months and it was hardly detectable as they leaked samll amount of information. For now, there still a possiblility that KT can claim that they upheld their duty of technical protective action well.”
Privacy rights proponents should carefully weigh the benefits of taking this case to court. On the one hand, they should seek justice on the part of the wronged and consequences on the part of the breached. On the other, if they fail to make a strong case the precedent set may set privacy rights back. Either way, this will be a case to look for if it appears on the dockett.
DISCLAIMER: Stratigos Security is not offering a legal opinion, nor has this article been written by a lawyer. Although we did use the services of a Korean translator for much of the research and fact checking, there may still be errors due to the language barrier. We ask that you take our words with a grain of salt and independently verify important facts. That’s just good journalistic practice. We did the best we could, but you shouldn’t believe it just because it’s on the Internet. That’s just plain common sense.