Papas Fritas writes:
"Michael Kitchen at Marketwatch reports that when companies in the US are hacked for customer information they often seem to react to such thefts with little more than a sigh and a shrug if they even report it at all. But in South Korea, they don't mess around with ID theft.
South Korea's financial-services regulator announced Sunday that three firms which suffered the theft of consumers' data last year would be barred from issuing any new credit cards or extending any loans for three months. In addition, the executives at the companies involved showed their contrition by going before television cameras and making deep bows and personal apologies. Some executives reportedly resigned over the incident, even though the alleged ID thieves were caught and arrested. The South Korean Financial Supervisory Commission (FSC) said the companies had 'neglected their legal duties of preventing any leakage of customer information.'"
(Score: 5, Funny) by girlwhowaspluggedout on Tuesday February 18 2014, @10:39AM
Soylent is the best disinfectant.
(Score: 4, Funny) by Darth Turbogeek on Tuesday February 18 2014, @11:47AM
Make them use Beta on Slashdot?
BTW new Overlords, good work. Ehat a blast fromt he past it is to use the old style Slashcode once again. Frankly it's a shit load better. And so far the story selection doesnt suck too. Keep up the good work!
(Score: 5, Insightful) by Maow on Tuesday February 18 2014, @10:42AM
Accountability -- I thought I would never see such a thing again.
Is is still the case in South Korea that IE6 is a requirement for a lot of official on-line activities, such as banking?
[Off Topic]
Wish I could comment in-line: I'd like to see what I'm replying to without opening another tab.
(Score: 2, Interesting) by BradTheGeek on Tuesday February 18 2014, @10:55AM
Unfortunately, aside from a few examples, we live in a 'pass the buck' society.
Accountability, much like ethics, are something for PR departments to develop flowery speeches for, not to follow.
(Score: 1) by mrbluze on Tuesday February 18 2014, @11:17AM
In other countries lawyers would sue the banks, and the victims would get 10%.
Do it yourself, 'cause no one else will do it yourself.
(Score: 1) by mechanicjay on Tuesday February 18 2014, @12:23PM
Yes, if you craft your policies and procedures properly, no one ends up holding the bag when things go tits-up. I am fundamentally opposed to this mode of operation, I think it's ruining society.
My VMS box beat up your Windows box.
(Score: 4, Interesting) by FatPhil on Tuesday February 18 2014, @11:58AM
South Korea *seems* advance certainly, but it's not necessarily much more than a facade. I've seen the inside of Samsung. Were I to tell you what they demand you run on your machines, such as browsers and versions, I'd be in breach of NDA. But for someone who was supposed to be a linux kernel developer, I can assure you it wasn't a pretty sight.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by Cyberdyne on Tuesday February 18 2014, @06:03PM
IE is a requirement, yes, not specifically IE6.
(Score: 5, Interesting) by combatserver on Tuesday February 18 2014, @10:53AM
From the Any-publicity-is-good-publicity Dept.
I couldn't help noticing the embedded stock tracker in the first link for the company discussed--their stock went up +250.00 +0.65% today.
I hope I can change this later...
(Score: 2, Insightful) by monster on Tuesday February 18 2014, @04:21PM
Maybe there were expectations for a much toughter sanction.
You know, some foreign regulators are very independent, serious and have real teeth, unlike the laughingstock called "the SEC".
(Score: 5, Insightful) by lubricus on Tuesday February 18 2014, @10:57AM
Not mentioned in the article is whether or not the banks quickly and transparently reported the breach.
I agree that people should be held accountable, but it seems much more important to me that breaches are quickly and openly reported so that customers and take actions to protect themselves. I worry that punitive actions could be another factor (in addition to lawsuits, quarterly earning reports) that incentivizes coverups.
If anything should be penalized, it should be the coverup of the breach, not the breach itself.
... sorry about the typos
(Score: 3, Informative) by girlwhowaspluggedout on Tuesday February 18 2014, @12:00PM
Neither quickly, nor transparently, or at all.
According to the BBC [bbc.co.uk], "the data was easy to steal because it was unencrypted and the credit card firms did not know it had been copied until investigators told them about the theft". I've posted additional details in a message below [soylentnews.org].
Soylent is the best disinfectant.
(Score: 5, Informative) by girlwhowaspluggedout on Tuesday February 18 2014, @11:34AM
Although the summary, as well as the linked-to BBC article, call this a hacking incident, it was actually a simple case of data-theft-by-employee [bbc.co.uk]. Reminiscent of Snowden, the data -- names, credit card numbers, phone numbers, e-mail addresses, residential addresses, and resident-registration numbers [wsj.com] -- was stolen by a contractor who simply copied everything to a USB stick.
The contractor was working on forgery-proofing credit cards [dailymail.co.uk] for Korea Credit Bureau, a credit rating company that enjoys access to the databases of the the credit card companies in question. It just so happens that not only was the data unencrypted, the credit card firms did not know it had been copied until investigators told them about the theft [bbc.co.uk].
Keep in mind that this isn't just a run-of-the-mill credit card information leak, but a wide reaching theft that affected about 40% of all Koreans, including -- reportedly [dailymail.co.uk] -- South Korean President Park Geun-hye and UN chief Ban Ki-moon. I assume that American banking executives would receive more than a simple slap on the wrist if Obama's banking details were to be stolen. Piss off the wrong people, and...
Soylent is the best disinfectant.
(Score: 2, Interesting) by BsAtHome on Tuesday February 18 2014, @12:05PM
You actually highlight the real problem here: "Piss off the wrong people, and...".
That statement highlights the double standards employed. It should not matter *who* you piss off. Each instance must be handled in the same way. When not, social unrest is pre-programmed.
(Score: 1) by girlwhowaspluggedout on Tuesday February 18 2014, @12:36PM
TBH, I have no familiarity of South Korean culture or its criminal justice system, so there is always the chance that they do not employ such double standards. OTOH, South Korea's culture of strict hierarchical deference, so to speak, which is well known due to its disastrous effects [ap.org] on airline safety [wikipedia.org], leads me to suspect they're just as bad as the rest of us.
Soylent is the best disinfectant.
(Score: 1) by cyrano on Tuesday February 18 2014, @06:33PM
Actually, security for banking is very, very, very bad, because every bank is legally forced to use SEED. Wiki link: http://en.wikipedia.org/wiki/SEED [wikipedia.org]
This used to be an ActiveX component so the largest part of the Korean population is still on Windows XP and IE6. Even if the banks could serve a session to Firefox, not many people are using it.
They are being hit very hard by the chicken and egg problem.
In China, Windows XP is still gaining market share...
The quieter you become, the more you are able to hear. - Kali [kali.org]
(Score: 4, Interesting) by MrGuy on Tuesday February 18 2014, @01:32PM
This is a story about BANKS who fail to protect personal infomation.
Which is fine as far as it goes. Banks SHOULD be accountable.
But the vast, vast majority of data breaches are NOT from banks. They're from merchants and service providers. The custodians of the data, not the originators of it. Target. Kickstarter. Retailers.
How does one write a reasonable law to punish a RETAILER who suffers a data breech. Would you recommend Target be barred from accepting credit cards from three months (which is tantamount to recommending Target go out of business)?
(Score: 3, Insightful) by girlwhowaspluggedout on Tuesday February 18 2014, @02:30PM
Well, should we punish every retailer that suffers a data breach?
I'd say that your question touches on the crux of the data theft problem, i.e. where does incompetence end and negligence begin? Should we hold a retailer responsible for using badly designed software? What about placing the POS systems on the same network it stores its customers' credit card records?
And how up to date must its systems be? What should it do when a 0-day exploit is published, without a patch or known workaround?
Soylent is the best disinfectant.
(Score: 4, Interesting) by SpallsHurgenson on Tuesday February 18 2014, @03:30PM
Alternately, the credit-card companies could properly enforce their own PCI compliance rules. According to those, if you are in violation then yes, they CAN forbid you from accepting credit cards from customers until you show evidence that you have fixed the violation. I've seen it happen to smaller companies for far less serious breaches than what happened at Target. That the credit-card companies did not do so with Target has more to do with their fear of losing their income from all those Target sales than it did with not pronouncing a "death sentence" on the retailer.
Of course, that sort of threat is the only thing that will incentivize retailers to take credit-card security seriously. Without it, companies are always going to go cheap and easy, because any bad effects will affect only the customer, not the retailers themselves. But if suddenly a breach of credit-card data could put them at risk of becoming unprofitable, you can bet that more stringent methods will be put into place to ensure that nobody can walk out the door with a thumb-drive full of customer data.
And while I am no fan of excessive government regulation... if the retailers won't do it, and the credit-issuers won't do it, and the customer can't do it, what other option is there but for there to be a law to ensure it gets done?
(Score: 1) by Angry Jesus on Tuesday February 18 2014, @05:41PM
Well, should we punish every retailer that suffers a data breach?
Maybe we need more creative forms of punishment rather than worry about the exact details of the incident.
I'm thinking "Scarlet Letter." Lose control of customer data, now you have to post a banner across the front of your store as large as the sign with the name of the store that tells customers what happened in a simple, standardized way.
California does something like that with respect to restaurant inspections - a letter grade must be posted in the front window that shows what score the place got on the last inspection. Anyone who doesn't have an "A" posted puts their business at serious disadvantage.
(Score: 1) by girlwhowaspluggedout on Tuesday February 18 2014, @08:43PM
I tend to agree. The ideal free market ("perfect competition") requires, among other things, access to information. In this view, then, truly informed purchasing decisions depend on the ability of the consumer to learn about the past failures of businesses in guarding customer data. That doesn't mean, of course, that it has to take the form of government regulation, since it is just as feasible for companies or watchdog groups to provide such Scarlet Letter data.
Soylent is the best disinfectant.
(Score: 2, Funny) by Techwolf on Tuesday February 18 2014, @02:16PM
"theft of consumers' data"
Wow...didn't know you could steal data. Thieves must have deleted all the data after copying it.