20 Million Reasons to Focus on Security

This story sends a few shivers down the spine.

20 million (yep, million) people in South Korea have had their credit cards details stolen.  That’s almost half the entire population.  

The data was reportedly stolen by a single computer contractor who was working on behalf of the Korea Credit Bureau (I’m guessing they don’t work there anymore), and then sold onto phone marketing firms.

Along with credit card information, the data also reportedly contained personal details such as addresses, phone numbers, names, and social security numbers. 

According to the BBC the contractor logged into the internal servers of three credit card firms – KB Financial Group, NongHyup Financial Group and Lotte Group to fetch the data, and then transferred it via (and I’m not making this up) a USB stick.

There’s a lot of things that are bizarre about this story – one, why wasn’t this kind of sensitive data encrypted?  Two, how could one person single handedly cause so much trouble?  They didn’t exactly get away with it (the contractor and several people from the marketing firms have been arrested) but the fact that nobody realised until after the deed was done is extremely alarming.

IT Security at its most basic comes in two different forms – procedural, and technical.

The procedural part is all creating policies and involving your staff in these policies, so they stand a good chance of spotting suspicious activity and flagging it up.  The contractor who stole the data was obviously abusing his position, but simple things like, ‘Say, what are you doing with that USB stick?’ wouldn’t go amiss (see my blog on the Santander breach for more info on this).

It’s all about getting into good security habits.  Things like changing your password on a regular basis, not writing down sensitive information and not disposing of paper properly.  And, broader than that, becoming aware of what you’re not currently aware of (James Lyne, Sophos’ Director of Technology Strategy, could tell you a few harrowing facts about the sort of information your smartphone gives out if it’s ever connected to a wifi network).

The second part, the technical aspect, is not just about making sure that sensitive data is encrypted.  It’s also about making sure you can see what’s going in and out of your system. 

Though the Financial Services Commission have said they will cover any financial losses, I’m sure that will prove little comfort to the millions of people whose personal data has been shared.

It’s about being preventative instead of reactive, which unfortunately is the case here.