A massive theft of customer data from three major credit card firms in South Korea has shown security lapses in the financial industry.
First revealed by prosecutors, the theft of information linked to 80 million credit cards such as salaries, monthly card usage, credit rating and card numbers has sparked widespread public concern. Cardholders are flocking to bank branches and overloading call centers and service websites to find out if their information was stolen.
Local media said the theft may have affected most credit card holders in a country of 50 million people. Prosecutors and the financial regulator said no financial losses have been reported.
Financial Services Commission Chairman Shin Je-yoon said in a statement Monday that the credit card companies had failed to ensure adequate security.
The chief financial regulator urged the companies to be vigilant about data theft not only by hackers but also by employees and contractors. South Korean financial firms, media companies and governments have fallen victim to cyberattacks in the past with local authorities blaming North Korea as a culprit in some cases.
But the latest data breach exposed how confidential customer data was poorly managed by financial firms.
Prosecutors said last week that an employee of Korea Credit Bureau, a contractor, stole the data beginning 2012 by copying data to a USB device.
Prosecutors said the worker, who was responsible for the development of new software to detect credit card fraud, sold the data to a loans company.
The stolen data from Lotte Card and the credit card units of KB Financial Group and NongHyup Bank was unencrypted, according to Cho Sung-mok, a director at the Financial Supervisory Service.
He said the companies were unaware of the theft until prosecutors began an investigation.
NongHyup Bank's card division did not notice the data breach for more than a year while KB was unaware for over six months.
Chiefs at credit card firms apologized and authorities have vowed to beef up security measures.
Explore further: Never mind: Android L full-disk encryption by default not required