In light of the recent announcement that mega-data broker Equifax will not endure any meaningful punishment for endangering half of the U.S. population last year, I am posting this column I first wrote in 2014 (updated 2016) about The Great Target Hack and The Great Korea Credit Bureau hack, contrasting how the U.S. and South Korea handle similar events.
Remember the great Target Stores credit card hack of 2013? 110 million Target customers, including myself, had their credit card information put at risk and/or stolen November and December of 2013 because of Target’s crummy Internet security practices.
In typical American fashion, nobody lost their job or even got yelled at because of this massive act of incompetance, which resulted in the largest theft of credit card information in world history. Sure, there were some hearings on Capitol Hill the following February, but not much happened, outside of Target bigshot John Mulligan saying he was “deeply sorry.”
Contrast that with how things are handled in South Korea. The January following the Target hack, news came out that an IT employee of the Korea Credit Bureau had been arrested for stealing account information from the customers of three South Korean credit card companies and selling it to marketing companies. The managers of those marketing companies were also arrested. Over 20 million customers, 40% of the entire population, were affected.
Seems the credit card companies had been storing the account information in an unencrypted database, an act of criminal negligence in the payment card industry. As such, the thief simply copied it all to a USB flash drive and easily sold it to his accomplices.
The fallout from this was swift and decisive. Gov. Choi Soo-hyun, chief regulator of South Korea’s Financial Supervisory Service, promised stern punishment of the responsible parties. “We will hold them fully responsible for the data leak if their sharing of client data among affiliates and lax internal control turn out to be the cause,” he said. The following week, regulators also banned the three credit card companies from adding new customers, or offering new services or products for the next three months.
The reaction from the Korean credit card companies was stunning. There was no beating around the bush, no evasive answers at mealy-mouthed Congressional hearings, no covering up and dodging the issue, no making excuses about how they had been out-smarted by genius super-hackers, no running away from responsibility. The three credit card firms said they would fully cover any financial losses suffered by their customers from scams linked to the data leak. “We will take any legal and moral responsibility for the cases of the personal information leak,” the three companies said in a joint statement.
Then, the real taking of moral responsibility began to happen: top executives at the three credit card companies, and some of the affiliated banks, began to resign.
First, the upper management team of KB Financial offered their resignation en masse. Then, Sohn Kyoung-ik, chief of Nonghyup’s credit card business division, also resigned. Officials from Lotte Card Group followed suit. Over 37 banking and credit card company officials tendered their resignations, taking full responsibility for the incident.
The pictures online of the press conferences, where the officials appeared publically to resign, were quite striking. Rows of neatly-dressed bankers and credit card moguls in their dark-colored business suits, bowing deeply from the waist, heads hung in profound shame, disgrace and humiliation.
Visit http://www.businesskorea.co.kr/news/articleView.html?idxno=3007 to see the Korean idea of responsibility.
Here we are, almost three years after the great Target credit card hack, with the benefit of hindsight, looking back at the many months of hem-hawing, blame-gaming, finger-pointing and question-avoiding that finally led to a few things having sorted themselves out. Target CIO (Chief Information Officer, the person often responsible for security) Beth Jacob was fired/resigned after Target CEO Gregg Steinhafel announced Target was overhauling its information security practices. Then, Target announced that Steinhafel was also resigning, stating that Steinhafel “held himself personally accountable” for Target’s loss of credit card and personal information for 110 million Target shoppers.
Will any of this actually lead to change for the better? Clearly, the two Target resignations pale in comparison to South Korea’s, and come only after clear signs that the 2013 holiday season hack affected Target’s bottom line. Target’s profits dropped 5% immediately after the hack, and its stock dived almost 20% compared to the previous year; overall profits were off more than 40%. That certainly must have gotten the attention of Target’s Board of Directors, who engaged in “extensive discussions” with CEO Steinhafel before his resignation was announced.
Perhaps massive profit loss is what it takes to make people regard Internet crime and computer security seriously. As sad as that may sound, maybe that’s how it’s always been. If so, stand by; I’m sure there will be more.