Review of Massive Personal Information Leakage Case and Underlying Problems in South Korea

-- By SunghyeOh - 21 Mar 2017


When we talk about the protection of personal information, the right of privacy covers the individuals’ ability to control the collection and use of personal information.[1] In South Korea, the right of “self-determination of personal information” has been recognized as a constitutional right, and several related laws such as “Personal Information Protection Act” (“PIPA”) have been established. Still, people have experienced repetitive massive personal data leak incidents. Among them, so-called “3-credit card company’s personal information leak” especially stimulated the discussion: what are underlying problems, and how should the country proceed to realize the constitutional value of privacy?

The largest-ever personal information leak

In January 2014, Koreans were furious about the news that the personal data on 104 million credit cards issued by three major credit card corporations—Kook-min, Nong-hyup and Lotte Card—were stolen, which affected 20 million people or 40% of the country’s population. The swiped data included the sensitive personal information—names, social security numbers, residential addresses and even credit/financial information such as card numbers, expiration dates, and bank accounts. The thief, Park, who was a technician at the credit rating company called Korea Credit Bureau which had contracted with the credit card companies, secretly copied the data onto an USB. Then, a significant amount of stolen data was sold and resold, conveyed to the phone marketing and the capital loan companies.[2][3]

Following the incident, 188,400 people filed 281 lawsuits against the credit card corporations, seeking for the compensation of 75.3 billion Korean won ($67.42 million, the currency rate by 03/20/2017, hereinafter the same) in total—generally, each plaintiff requested 0.5 million won ($448). Most trial courts’ decisions, which are still pending before appellate courts, ruled partially in favor of the plaintiffs, awarding each victim 100 thousand won ($90) for the damages for pain and suffering. Also, the credit card companies were convicted of the violation of the “PIPA,” and fined 10 million won ($8,955) or 15 million won ($13,432), which all defendants appealed. In addition, the administrative sanctions were ordered; each company was subject to the 3-month ban on issuance of new credit cards with the regulatory fine of 6 million won ($5,374).[4] Furthermore, the regulatory penalties were imposed on all companies, the sum of which reached 34 million won ($30,452).


This scandal has revealed the problems of Korea’s personal data protection system in all directions. With respect to the companies, this incident showed how much they had neglected their responsibilities to protect the customers’ privacy. It was reported that the companies gave Park unencrypted data, and such lack of security manuals regarding the encryption or the outsider’s access suggested that the companies had regarded the cybersecurity programs as an expense. The absence of actual or any workable standard of cybersecurity also attributed to this matter. Also, as for the customers, the incident hinted that they were somewhat indifferent about the privacy issue, or they just relinquished their right of privacy. Although many victims expressed their anger by requesting the companies to cancel their cards, however, the vast majority of them did not take any further actions—the number of people who actually sued the companies was only 188,400 or less than 1% of the affected.


After the scandal, what the government had done was to amend the related statutes in a way to increase the level of punishment under the consideration that imposed punishment was too weak compared to the companies’ scale of business (even though most criminal and regulatory sanctions were the strongest ones in the range of the applicable laws at that time). Statutory damages and punitive damages were adopted; these allowed consumers to claim statutory damages of up to 3 million won ($2,687) without proving damages and courts to award punitive damages of up to three times the actual damages. Also, the available regulatory penalties were increased to up to 3% of a company's revenue, and the available criminal fine was also increased from 10 million won ($8,957) to 20 million won ($17,913).[5][6]

These revisions were made in a hope that they would induce companies to upgrade their cybersecurity protocol, however, it is clear that the penalty increases could not be effective nor meaningful measures under the situation where corporations see the protection of customers' personal information as expenses; the companies would rather choose to bear the risks of likely penalties than establishing any quality security system since they could expect the former would be less costly. Unless there exists an actual possibility of meaningful and significant penalties, it is hard to think that Korean companies would change their business strategies. In this sense, one of the plausible remedies is the introduction of class-actions system, by which meaningful costs can be imposed on the companies that neglected to protect customers’ data protection.

A lack of workable standards of security is another issue. Of course, theoretically, there has been security standards in Korea, however, they have been so much disregarded as we can see from this case that the thief was able to access and get the unencrypted data. Even worse, some are harmful to cybersecurity—for example, Korean banks’ pervasive usage of "archaic financial security software,”[7] Active X, which is very prone to cyberattacks. In this regard, establishing and improving security standard in combination with technological efforts are strongly recommended.

Lastly, we should never forget the importance of education, which has the power to enhance people's awareness. In this case, if the level of awareness of privacy at that time was higher, victims would not have reacted that passively. By education, we can let individuals know the realities and seriousness of privacy invasion, and it is also possible to make a society that values companies that handle their customers’ privacy carefully. Correspondingly, under this condition, corporations would change their conception regarding customers’ privacy and associated costs.

It's hard for me to correlate the facts with the conclusions. It is obvious that penalty increases are useless. Indeed, following the usual absurd position of Korean corporate management that all activities can be strictly divided into "makers" and "takers," security for customers' data will always be seen as "an expense." Raising penalties in this foolish way merely increases an offset expense, in the hope that the present value of respecting customers' privacy, which is still negative to the business, will be smaller than the present value of likely penalties. That will not happen, as you see, without a system of class actions and one of shareholder activism (which you don't mention, as it is even more unthinkable under Korean conditions) that would actually impose significant costs. That security should be seen as a common good in which it benefits all to participate, the actual improvement in social trust, is evident to non-Korean societies in which more social trust exists and the people who run the society know that social trust is worth more than the value of successful corruption.

Meantime, no actual security standards of any value are in place. Active X controls that can never be made secure are still an unbelievably foolish welded-in-place part of Korean banking and commerce, thus ensuring that every user can be plundered all the time. The technical environment of the Korean Net is about as professionally careful of customer safety as the ferry transportation business, and for the same reasons.

So I can't understand, editorially, why you would be celebrating business as usual as the remedy for the widespread and essentially ineradicable difficulty with business as usual.


For the facts regarding the case in Korean:

