Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Korea Credit Bureau large scale card data theft

21 January, 2014
Credit card data theft resulted from Korea Credit Bureau breaking every data protection rule in the book

A temporary consultant working for Korea Credit Bureau (KCB), a credit ratings agency, stole the credit card details and other information relating to 20 million people in South Korea by copying the data onto a USB storage device and selling it on to marketing companies.

The consultant has now been arrested along with bosses of the marketing companies that bought the data and apologies have been put forward by the bosses of KCB to those affected by the theft.

This extraordinary case of highly sensitive data walking out of the door on a USB stick in the pocket of a temporary employee is like a "show and tell" case study used for teaching IT security professionals about the fundamentals of data protection. It has all the farcical elements of an exaggerated story concocted to use as an example. Sadly, it isn't and as such, it is a good example to use of why the basic elements of data protection are so important. These basic elements are privileged access management, encryption, end point protection and removing the so-called "insider threat".

Encryption is key

Encryption is usually a given in the case of credit card data and we have regulatory control of this with such bodies as the Payment Card Industry (PCI DSS) so having access to unencrypted sensitive personal data made the theft from KCB easy. Encryption is a key first step, according to Mark James, the technical director of ESET UK. He told us: "This episode should act as a warning for all businesses to reflect on their attitudes towards the sensitive data they handle. Ensuring data is fully locked down through encryption should be a basic. With an obligation to customers, and financial and reputational damage in the balance, the protection of data and business infrastructure needs to come first."

The insider threat

Without this key first step, protection against insider threats becomes even more important, since they have such ease of access to the raw data. In the case of KCB, there was too much trust placed in a temporary employee. According to Keith Bird, the UK managing director of Check Point, trust is a precious commodity and one that is all too easily exploited. Keith commented: “Data leaks by employees or trusted partners, whether accidental or intentional, are still one of the biggest risks facing companies.  In 2013, our DLP survey found that 52% of knowledge workers regularly risk accidental breaches with unsafe computing practices, such sending emails to wrong addresses, or using unencrypted USB sticks."

Data protection policies which encompasses the trust relationship with employees and contractors, data encryption and the copying or transfer of data are part of the answer according to Chris McIntosh of ViaSat UK. "Private data such as credit card details are a lucrative target for criminals and opportunists and so it is essential that this data is stored centrally on an encrypted drive or transferred to another encrypted device or wherever possible deleted when no longer being used", he said.

Chris continued, "Organisations also need to be sure they have a firm grasp on their data, know where and when it has been copied or transferred in case it falls into the wrong hands. For their part, civilians should be sure that the organisations they trust with their data are behaving responsibly and taking the right precautions to protect them.”  

Privileged access management

Controlling the insider threat isn't just a matter of policy, but also of access management thus protecting data from unauthorised access and the inability of privileged users to abuse those privileges. Paul Ayers of Vormetric explains further: “Privileged users exist in all organisations.  Examples include ‘Root’ users, domain administrators and system administrators, many of which are often short-term contractors.  They often have powerful, privileged, network access rights and, although these users require a high level of access to enable them to conduct the tasks that they need to perform – like software installation, system configuration etc – there is a very real security issue that arises when these users also have access to data stored within computer systems, and have the ability to read documents, copy or change them.

Despite controlling privileged access seeming like an essential step, Vormetric's research in October 2013 showed that nearly three quarters of organisations were unable to block privileged access to sensitive data. Paul Ayers believes that the Korean data breach may ring in the changes. "This situation will likely begin to change as more incidents of insider threat data breaches make headlines, but for now a high level of risk from inside company networks remains,”  he said.

Matt Middleton-Leal of CyberArk is less sure that this signals the beginning of higher awareness of the dangers of privileged access. According to Matt, "Organisations across the board routinely grant highly powerful privileged accounts and credentials to their employees and contractors, and the fact is, that without a system in place to effectively control and monitor these accounts, it leaves businesses vulnerable to the potentially disastrous consequences of the abuse or misuse of these insider privileges."   

Privileged access management doesn't just prevent malicious acts on sensitive data such as theft, but has the added advantage of protecting data from accidental loss. Incompetence can be just as dangerous as malice. "The threat from within can also include the accidental misuse of privileged access", said Matt who also concluded:

"A breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties if they are found to have been negligent in the protection of this information.  Incidents such as the KCB breach in Korea should therefore provide a reminder to businesses of the danger of complacency when it comes to the ever-present insider threat.”

Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan


Bookmark and Share