Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Arrested For Hacking Personal Data of 8.7 Million Phone Users

Posted by samzenpus on from the all-your-info-are-belong-to-us dept.

An anonymous reader writes "South Korea's second largest wireless service provider has apologized after personal data of 8.7 millions of its mobile phone subscribers was stolen by hackers. The details are suspected to have been sold to marketing firms, netting the hackers close to $1 million. From the article: 'South Korean police have arrested two men who allegedly stole the personal information of about 8.7 million cellphone customers from KT Corp., the second biggest mobile carrier in South Korea. The company alerted police on July 13 after detecting traces of hacking attacks. The data was collected for the last five months, starting in February 2012.'"

43 comments

  1. And what happens to the marketing firms? by popo · · Score: 4, Interesting

    I don't know anything about Korean law, but aren't they liable as well if they purchase goods that are stolen, or have a reasonable likelihood of being stolen?

    --
    ------ The best brain training is now totally free : )
    1. Re:And what happens to the marketing firms? by Anonymous Coward · · Score: 2, Funny

      They start marketing security tools would be my bet...

    2. Re:And what happens to the marketing firms? by seven+of+five · · Score: 3, Insightful

      Since the phone numbers have proven to be illegal and illegitimate, the marketing co's will do the right thing and not use them, right? Right?

    3. Re:And what happens to the marketing firms? by wvmarle · · Score: 2

      I have no idea whether such laws apply to, as I would rather call it, inappropriately aquired data. After all, theft, stolen goods and handling stolen goods normally refer to physical goods. This is data we are talking about: the victims have not physically lost anything. They had data copied from their devices - which as I understand is illegal in Korea - but the device itself was not stolen.

      It's an interesting point anyway; anyone has any idea how this works in other jurisdictions? Any real-world examples?

    4. Re:And what happens to the marketing firms? by JaredOfEuropa · · Score: 1

      Not sure about this particular case, but not too long ago a Dutch judge ruled that Internal Revenue was allowed to use stolen data to go after people who had unreported savings in Swiss bank accounts. The data was stolen, and known to be stolen, but the judge reasoned that there was no problem since our IRS weren't buying the data from the thief directly, but from the German IRS who had obtained it from a Swiss whistleblower.

      But that's the IRS we're talking about, and if you dig a little deeper, it is quite scary what powers they have in various countries. But for normal companies, using this data would be a big no-no under the kind of data protection and privacy acts we have around here.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re:And what happens to the marketing firms? by Ogive17 · · Score: 1

      That's the first thought I had as well after reading the summary. First of all, I'm sure the marketing firm will claim they thought the information was legit. Secondly, businesses in S. Korea practically run the gov't... someone probably has enough connections to keep the marketing firm out of trouble.

      --
      "Action without philosophy is a lethal weapon; philosophy without action is worthless."
    6. Re:And what happens to the marketing firms? by FireFury03 · · Score: 2

      I don't know anything about Korean law, but aren't they liable as well if they purchase goods that are stolen, or have a reasonable likelihood of being stolen?

      My experience here in the UK is:

      I used a popular car insurance comparison website when I was shopping around for cheaper car insurance. On this website I had to enter various personal details such as name, address, date of birth, claim history, etc. Soon afterwards I started receiving cold-calls in connection with the accidents in my claim history. These calls usually started by claiming to be from "the insurance company" and implying they were my insurer, without actually providing the name of the insurer. Initially I wondered if "the insurance company" might actually be the other party's insurer rather than mine (so I was very wary), but when pressed for more detail they put up various BS claims about how they couldn't give me the information I asked for because of the data protection act - I do know my rights under the DPA and I pushed further and eventually it turned out they were actually personal injury lawyers. They wanted me to make a personal injury claim, and still encouraged me to make a claim even after I pointed out that no one was injured, and in fact no one was even in the car when the accident happened (it was parked, someone drove into it).

      Some time later, I started getting calls from other companies (this time in connection with PPI, which isn't even targetted advertising any more since I've never had PPI). They insisted that they didn't need to screen calls against the telephone preference service because I had "agreed" to receive them (the ICO has confirmed that this is not true - they still need to screen against TPS). Eventually, after a lot of correspondance with these cold-calling companies (who were surprisingly cooperative), I discovered that some of the information had come from a marketing company that I had never heard of, but this company had very clearly acquired my details from the insurance comparison site (they even ran their oen insurance comparison site, although this wasn't the one I used).

      Unfortunately, things pretty much stop here - the company that has been selling my details claims that they phoned me and I verbally agreed to receive promotional material from "partner companies". I can neither confirm nor deny whether they phoned me, but I am certain I would never have agreed to this. Unfortunately they have so far declined to provide any evidence to support their position, I have no evidence to support mine, so it's my word against theirs. As far as I can tell, they have taken my details and illegally sold them to a bunch of people, who have then sold them to a bunch of people, etc. The people they sold them to believe that the details the bought were authorised by me, the people further down the chain have even less reason to believe that the information is being distributed illegally.

      In short:
      1. Although the company responsible for illegally selling off my details could probably notify everyone they've sent the data to, they have no inclination to do so.
      2. The data has been bought and sold so many times that there's no way to remove it from everyone's possession - it will continue to be bought and sold and there's nothing I can do to bring it back under my control.
      3. The ICO seems disinclined to help, probably because they already know there's no way to stop the dissemination of this data now it has spread so far and wide.

      The situation in SK would likely be similar - the original marketing companies may well have bought the datsa in good faith, and have now sold it to a bunch of other companies, who have sold it to more companies, etc. There's no way to retract this information now - its been spread too far and wide and the people lower down the chain won't have any idea WTF it came from originally.

      The only solution to these kinds of problem that I can see is to outlaw the transfer of personal data between companies wit

      --
      http://blog.nexusuk.org
    7. Re:And what happens to the marketing firms? by gnasher719 · · Score: 1

      But that's the IRS we're talking about, and if you dig a little deeper, it is quite scary what powers they have in various countries. But for normal companies, using this data would be a big no-no under the kind of data protection and privacy acts we have around here.

      Since you are talking about German IRS, they have the duty and huge powers to find out what your income is. They don't have any right to use this information except to get the right amount of tax from you, and possibly fine you or prosecute you for cheating on your taxes. I don't quite know what you would find scary about that.

    8. Re:And what happens to the marketing firms? by JaredOfEuropa · · Score: 1

      It's scary because there's a lack of due process. All gov't bodies should be subject to this, and that is mostly the case. The police cannot enter your house without a warrant (b.t.w. in NL that sadly is no longer the case), and obtaining evidence, statements and confessions is all subject to certain rules (no torture or duress, lawyer must be present, etc) or the evidence will not be admissible in court. You are presumed innocent until proven guilty.

      But the IRS play by different rules. I doubt very much that this stolen data would be admissible in normal criminal or even civil proceedings, even when obtained "legally" from another agency who bought it from the source. They can obtain information from *any* source, including anonymous tips, simply increase your estimated income and holdings by any amount they see fit, and slap you with a higher tax and fine. The burden of proof is on your shoulders to discount whatever rumour they might have picked up. I've seen some ugly examples of this, and not all are about people hiding their money or criminals.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    9. Re:And what happens to the marketing firms? by Schmorgluck · · Score: 1

      Unfortunately they have so far declined to provide any evidence to support their position, I have no evidence to support mine, so it's my word against theirs.

      No, it's not. If they have no proof you agreed, they are clearly in violation of your rights. On this respect, the burden of proof is on them, as long as you have proof that it was they who disclosed your data to third parties.

      Then again, I don't really know how the enforcement of this works in the UK.

      --
      There's nothing like $HOME
    10. Re:And what happens to the marketing firms? by FireFury03 · · Score: 1

      No, it's not. If they have no proof you agreed, they are clearly in violation of your rights.

      I didn't say "they have no proof", I said "they haven't provided any proof". In any case, it hardly matters - the ICO has no interest in prosecuting.

      --
      http://blog.nexusuk.org
    11. Re:And what happens to the marketing firms? by BlackThorne_DK · · Score: 1

      Didn't they loose their privacy?

    12. Re:And what happens to the marketing firms? by mcgrew · · Score: 1

      Didn't they loose their privacy?

      No, someone else loosed it.

      --
      Free Martian Whores!
    13. Re:And what happens to the marketing firms? by Spy+Handler · · Score: 1

      no, their privacy was loosened with a screwdriver.

  2. Holy shit by Anonymous Coward · · Score: 0

    that is a lot of phone users. Those guys are fucking stupid.

  3. Over 5 months in Korea? by Teun · · Score: 2

    I thought Korea had the fastest internet, couldn't they have done this in just a few minutes?

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    1. Re:Over 5 months in Korea? by Anonymous Coward · · Score: 0

      Or maybe you collect data "over" 5 months? You know, new subscribers.. and stuff.

  4. First SK Communications now KT Corp by Anonymous Coward · · Score: 0

    I would imagine those users already had their personal details stolen back in July 2011 when 35 million people (practically the entire population of South Korea) had their details hacked from another telecommunications provider - SK Communications. Is this a systemic issue in South Korea?

    1. Re:First SK Communications now KT Corp by Anonymous Coward · · Score: 0

      Perhaps now the South Korean government will start requiring that citizens NOT use their real name online?

    2. Re:First SK Communications now KT Corp by korean.ian · · Score: 1

      I would imagine those users already had their personal details stolen back in July 2011 when 35 million people (practically the entire population of South Korea) had their details hacked from another telecommunications provider - SK Communications. Is this a systemic issue in South Korea?

      With the South Koreans' over-reliance on Windows, yes. Added to that software monoculture are some terrible security practices. These practices are widespread in the Korean IT industry, and I'm sure would make any competent sysadmin run screaming to the hills. Part of that is there is still the old guard in play there, and due to South Korea's slow adaptation of challenging upper management due to cultural values, this problem will likely remain in place for some time still.

  5. oh I see by Anonymous Coward · · Score: 0

    details are suspected to have been sold to marketing firms

    So the problems are that
    1) the "service provider" didn't get a cut from selling personal data to marketing firms;
    2) the publicity has meant that the public are aware that personal data has been passed to marking firms.

    It's sad that the data was stolen, though. I mean, why would you physically take the storage medium? How will the original owners ever get it back?

  6. Wtf? by Viol8 · · Score: 1

    "fter all, theft, stolen goods and handling stolen goods normally refer to physical goods"

    Have you just stepped through a timewarp from the 1980s? In almost all western countries (and probably korea) theft now includes data including personal details.

    "This is data we are talking about: the victims have not physically lost anything"

    Christ, this argument was old in the 80s. If someone steals your personal data you have potentially lost something FAR more valuable than the physical machine they retrieved them off.

    Do yourself a favour and join the 21st century with the rest of us.

    1. Re:Wtf? by will_die · · Score: 5, Funny

      Yea but this is slashdot so it is not stealing it is piracy and the "victims" have not lost anything. The copiers have not done anything wrong by taking these bits and distributing it how the "owners" did not originally agree to.

      After all if the owners had made the product available in a format and manner the would be buyers had wanted it they would not had to resort to this method to get the info.

    2. Re:Wtf? by Anonymous Coward · · Score: 1

      No it doesn't.

      Just because the popular media use terms like "stealing information", it doesn't mean that the law thinks of it that way.

      English law has lots of stuff about unauthorised access to a computer system (Computer Misuse) and unauthorised processing of data (Data Protection), but nothing about "stealing" data. To "steal" is defined in the Theft Act as to commit theft, and committing theft is the dishonest appropriation of property belonging to another with intent to permanently deprive the other of it. Its succinct definition still applies today and should be lauded by geeks for neatly clarifying what theft is not.

  7. In America by Anonymous Coward · · Score: 1, Interesting

    They have entire companies who do exactly this, thousands of some of the brightest minds dedicated to extracting as much data about you as possible through any measure.
    they give them names like
    Google
    Facebook
    Apple
    Adobe Omniture
    Comscore
    Neilson

    even re-defining a word for this covert spying called "analytics"

    See if 1 or 2 people get your info, we call them hackers, if a gang of people under a collective name with TM symbol , then this its called a "business" in America and its actions are to be applauded.

    1. Re:In America by gl4ss · · Score: 1

      we're quite far ways from facebook going and hacking my phone records -from my telephone operator- to match phonenumbers to all my contacts.

      though that might be handy actually.

      --
      world was created 5 seconds before this post as it is.
  8. It's a shame really. by VortexCortex · · Score: 1

    Making completely secure programs and services is possible, but it's far too expensive for today's short sighted folks.

    Most say I'm a nutter for building my own OS from scratch, but I just can't find ANYONE who develops operating systems or applications with security as the highest priority. I try to exploit every line of code I write, and use a variety of unit tests involving input fuzzing, memchecks, etc to keep me honest. Sure development is slower (esp. refactoring), but I can sleep at night knowing the code I wrote does what I intended it to do, and nothing more.

    Furthermore, security isn't #1 from a design perspective in any modern OS. For instance: Having the stack grow in the opposite direction that Arrays are indexed is utterly MORONIC, yet that's the way most everyone does everything... In my OS a buffer overrun doesn't crap all over the stack because the heap and stack grow in opposite directions, and arrays are indexed in the same direction of stack growth. Thereby significantly reducing or eliminating overruns as exploit vectors by design -- They access unallocated memory and/or cause a segmentation fault instead.

    Programs are deployed as platform agnostic intermediate representations (.o / .OBJ), and linked into native machine executable binaries at install time. The same code I write and "compile" on x86 can be installed on ARM, x64, etc. I don't need a VM to provide cross platform support, and I can create a rigorous "debug" or "security audit" build from the "release" build. These are just a few examples...

    That said, my OS is still a work in progress. It's taken me almost 8 years just to get the boot loader, file system, terminal and Ethernet / IP stack running, but I only work on it in my spare time -- You'd think someone like Microsoft or Google could pull something like this off in far less time; Protip: That's why C# and Android/Davlik exist, but these don't grant access to the bare metal and are developed with profit, adoption, and compatibility as highest priorities... I wouldn't give a damn about those goals until AFTER security has been addressed, and even then I won't care about adoption or profit -- Those are the worst possible goals when developing software.

    TL;DR: You will have no security as long as profit and adoption drive progress.

    1. Re:It's a shame really. by icebraining · · Score: 1

      Is the code of your OS formally proven?

      --
      Dilbert RSS feed
  9. "All recovered back" by Anonymous Coward · · Score: 0

    I live in Korea and my personal information is also stolen.
    The KT Corp. apologized its customers, and also said that "all stolen personal data are recovered back", which is one of the most stupid things I've heard for quite some time.

  10. Nigerian hackers by schizz69 · · Score: 2

    Now spamming you in badly written Korean.

    1. Re:Nigerian hackers by Anonymous Coward · · Score: 0

      ...and commentors spamming you in poorly written engrish

  11. Re:Big deal by DJRumpy · · Score: 2

    Yes. I'm still wondering why Murdoch and his FOX ties to hacking haven't resulted in an arrest. Why are CEO's immune while 'regular' people are not?

  12. Re:Big deal by __aaltlg1547 · · Score: 1

    Yes. I'm still wondering why Murdoch and his FOX ties to hacking haven't resulted in an arrest. Why are CEO's immune while 'regular' people are not?

    They can usually erect a barrier of obfuscation between themselves and the lawbreaking. It's called plausible deniabilty.

  13. Re:Big deal by DJRumpy · · Score: 1

    It still sets a really bad precedent. If corporations are 'people', then they should be treated the same. This is one of those things that really infuriates me that corporations get away with some pretty nasty (illegal) activities, and pay a paltry fine and walk free, while average people are (rightly) jailed and prosecuted.

  14. Re:Big deal by mjwx · · Score: 1

    Yes. I'm still wondering why Murdoch and his FOX ties to hacking haven't resulted in an arrest. Why are CEO's immune while 'regular' people are not?

    I believe the two in question are Asian 'regular' people.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  15. Re:Big deal by Anonymous Coward · · Score: 0

    Is that relevant?

  16. Re:Big deal by __aaltlg1547 · · Score: 1

    Make the CEO and Chairman of the Board personally punishable for crimes committed by the company. That would stop most corporate crime.