Remember the great Target Stores credit card hack of 2013? 110 million Target customers, including myself, had their credit card information put at risk and/or stolen last November and December because of Target’s crummy Internet security practices.
In typical American fashion, nobody lost their job or even got yelled at because of this massive act of negligence, which resulted in the largest theft of credit card information in world history. Sure, there were some hearings on Capitol Hill back in early February, but not much happened, outside of Target bigshot John Mulligan saying he was “deeply sorry.”
Contrast that with how things are handled in South Korea. In January, news came out that an IT employee of the Korea Credit Bureau had been arrested for stealing account information from the customers of three South Korean credit card companies and selling it to marketing companies. The managers of those marketing companies were also arrested. Over 20 million customers, 40% of the entire population, were affected.
Seems the credit card companies had been storing the account information in an unencrypted database, an act of criminal negligence in the payment card industry. As such, the thief simply copied it all to a USB flash drive and easily sold it to his accomplices.
The fallout from this was swift and decisive. Gov. Choi Soo-hyun, chief regulator of South Korea’s Financial Supervisory Service, promised stern punishment of the responsible parties. “We will hold them fully responsible for the data leak if their sharing of client data among affiliates and lax internal control turn out to be the cause,” he said. Last week, regulators also banned the three credit card companies from adding new customers, or offering new services or products for the next three months.
The reaction from the Korean credit card companies was stunning. There was no beating around the bush, no evasive answers at mealy-mouthed Congressional hearings, no covering up and dodging the issue, no making excuses about how they had been out-smarted by genius super-hackers, no running away from responsibility. The three credit card firms said they would fully cover any financial losses suffered by their customers from scams linked to the data leak. “We will take any legal and moral responsibility for the cases of the personal information leak,” the three companies said in a joint statement.
Then, the real taking of responsibility began to happen: top executives at the three credit card companies, and some of the affiliated banks, began to resign.
First, the upper management team of KB Financial offered their resignation en masse. Then, Sohn Kyoung-ik, chief of Nonghyup’s credit card business division, also resigned. Officials from Lotte Card Group followed suit. At last count, at least 37 banking and credit card company officials have tendered their resignations, taking full responsibility for the incident.
The pictures online of the press conferences, where the officials appeared publically to resign, are quite striking. Rows of neatly-dressed bankers and credit card bigwigs in their dark-colored business suits, bowing deeply from the waist, heads hung in profound shame, disgrace and humiliation.
Here we are, almost six months after the great Target credit card hack, after months of hem-hawing, blame-gaming, finger-pointing and question-avoiding, and at last a few things seem to be finally sorting themselves out. Target CIO (Chief Information Officer, the person usually responsible for security) Beth Jacob was fired/resigned after Target CEO Gregg Steinhafel announced Target was overhauling its information security practices. Then Monday, May 5, Target announced that Steinhafel was also resigning, stating that Steinhafel “held himself personally accountable” for Target’s loss of credit card and personal information for 110 million Target shoppers.
Will any of this actually lead to change for the better? Clearly, the two Target resignations pale in comparison to South Korea’s, and come only after clear signs that the 2013 holiday-season hack has affected Target’s bottom line. Target’s profits dropped 5% immediately after the hack, and, to date, stock is down almost 20% compared to a year ago; profits are off more than 40%. That certainly must have gotten the attention of Target’s Board of Directors, who engaged in “extensive discussions” with CEO Steinhafel before his resignation was announced.
Perhaps massive profit loss is what it takes to make people regard Internet crime and computer security seriously. As sad as that may sound, maybe that’s how it’s always been. If so, stand by; I’m sure there will be more.