Remember the great Target Stores credit card hack of 2013? 110 million Target customers, including myself, had their credit card information put at risk and/or stolen last November and December because of Target’s crummy network security practices.
Do you remember who got fired, fined, lost their job or even yelled at because of this massive act of negligence? You can’t remember because nobody has; that’s right, nobody at Target has gotten fired, fined, lost their job or (that I’ve heard of) even yelled at over the largest theft of credit card information in world history. Sure, there have been some hearings on Capitol Hill, but not much has come of them, outside of Target bigshot John Mulligan saying he was “deeply sorry.”
Do you remember the great Neiman Marcus credit card hack revealed in January of this year? Did you even hear about it? Apparently, lax computer security at Neiman Marcus allowed hackers to install malware on company computers, facilitating the theft of hundreds of thousands of credit card account over a period of four months in 2013. Do you remember who got in trouble over the incident; fired, fined, or even yelled at? Nobody, that’s who.
Maybe you heard about the great University of Maryland data breach of February, 2014. Shoddy security practices allowed the bad guys to steal information related to over 300,000 university and staff members, dating back 16 years. Stolen files included names, birth dates, Social Security numbers and school ID numbers. Yet, no university officials have even said, “Oops, sorry, our bad.”
The list of American companies and government agencies who have, over the years, because of one screw-up or another, allowed the personal and financial information of innocent Americans to be stolen by the Internet bad guys is quite lengthy. Common to all these situations is that, for the most part, nobody ever really gets in trouble. Maybe a few chump-change fines are levied here and there, or some junior-level executives are shifted to different departments, but at the end of the day, Enron-sized scandals end up reaping petty criminal-sized consequences.
Contrast that with how things are handled in South Korea. In January, news came out that an IT employee of the Korea Credit Bureau had been arrested for stealing account information from the customers of three South Korean credit card companies and selling it to marketing companies. The managers of those marketing companies were also arrested. Over 20 million customers were affected.
Seems the credit card companies had been storing the account information in an unencrypted database, an act of criminal negligence in the payment card industry. As such, the thief simply copied it all to a USB flash drive and easily sold it to his accomplices.
The fallout from this was swift and decisive. Gov. Choi Soo-hyun, chief regulator of South Korea’s Financial Supervisory Service, promised stern punishment of the responsible parties. “We will hold them fully responsible for the data leak if their sharing of client data among affiliates and lax internal control turn out to be the cause,” he said. Last week, regulators also banned the three credit card companies from adding new customers, or offering new services or products for the next three months.
The reaction from the Korean credit card companies, compared to how things are handled in the United States, was shocking. There was no beating around the bush, no evasive answers at mealy-mouthed Congressional hearings, no covering up and dodging the issue, no making excuses about how they had been out-smarted by genius super-hackers, no running away from responsibility. The three credit card firms said they would fully cover any financial losses suffered by their customers from scams linked to the data leak. “We will take any legal and moral responsibility for the cases of the personal information leak,” the three companies said in a joint statement.
Then, the unthinkable (to the Western mind, anyway) began to happen: top executives at the three credit card companies, and some of the affiliated banks, began to resign.
First, the upper management team of KB Financial offered their resignation en masse. Then, Sohn Kyoung-ik, chief of Nonghyup’s credit card business division, also resigned. Officials from Lotte Card Group followed suit. At last count, at least 37 banking and credit card company officials have tendered their resignations, taking full responsibility for the incident.
The pictures online of the press conferences, where the officials appeared publically to resign, are quite striking. Rows of neatly-dressed bankers and credit card bigwigs in their dark-colored business suits, bowing deeply from the waist, heads hung in profound shame, disgrace and humiliation.
Compare that to the wimpy psuedo-apology offered by Target chief Gregg Steinhafel. “I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Steinhafel said in a prepared, online statement.
That’s great, Gregg. Don’t worry too much about it. I and the rest of your 110 million victims will manage, somehow. Meanwhile, how about if you resign and go get a job where you can’t hurt anybody else.