Slashdot Mirror

← Back to Stories (view on slashdot.org)

20 Million People Exposed In Massive South Korea Data Leak

Posted by timothy on from the at-least-everyone's-using-msie dept.

wiredmikey writes "While the recent data breach that hit Target has dominated headlines lately, another massive data breach was disclosed this week that affected at least 20 million people in South Korea. According to regulators, the personal data including names, social security numbers, phone numbers, credit card numbers and expiration dates of at least 20 million bank and credit card users was taken by a temporary consultant working at the Korea Credit Bureau (KCB). The consultant later sold the data to phone marketing companies, but has since been arrested along with mangers at the companies he sold the stolen data to. A similar insider-attack occurred at Vodafone late last year when a contractor made off with the personal data of two million customers from a server located in Germany. According to a study from PwC, organizations have made little progress developing defenses against both internal and external attackers, and insiders pose just as great a security risk to organizations as outside attackers."

10 of 53 comments (clear)

  1. So how do you defend against this? by Anonymous Coward · · Score: 2, Insightful

    The data at some stage will be unencrypted or there will be some developer or admin who knows how to unencrypt it.

    It doesn't matter if you pay your staff well - people can still be blackmailed / need money to pay of debts.

    1. Re:So how do you defend against this? by ShanghaiBill · · Score: 5, Insightful

      We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret". Nobody should be able to impersonate you by knowing your SSN, anymore than they can by knowing your name. Likewise, we should get rid of mag-stripe CCs, and switch to a more secure system like much of the rest of the world already has. These data breaches are just a symptom of a deeper problem: No sane system should require that the same information be both secret and widely known.

  2. No surprise by Mashiki · · Score: 4, Insightful

    After all S.Korea uses an activeX plugin for all their security needs...massive single point of failure and all that.

    --
    Om, nomnomnom...
    1. Re:No surprise by ColdWetDog · · Score: 2

      They didn't need to. Inside physical access trumps dodgy software any day.

      Humans are always the weak link. /Skynet.

      --
      Faster! Faster! Faster would be better!
  3. boooo hostile redirects by Mashdar · · Score: 2

    I did not access beta.slashdot.com. I accessed the main website. Breaking my UI is not welcome...

  4. The beta will kill Slashdot if it goes live. by Anonymous Coward · · Score: 5, Interesting

    You're not alone.

    As somebody who has worked in the software industry for decades now, I find it stunning that the Slashdot beta project has not been terminated yet. It's a failure in every single sense. The users here almost all absolutely hate it. It looks worse than the existing site. It functions worse than the existing site. I think it's slower than the existing site. There is so much wasted empty space. The fonts are harder to read. The discussion is much, much more difficult to follow. It's harder to post a comment. Being forced to use it unexpectedly affects users trying to use the existing site!

    And those comparisons are to an existing Slashdot site that was Web 2.0-ified a while back, making it even shittier than the site that preceded it!

    While we should be accustomed to social media web sites shitting all over their users with bad redesigns, Slashdot is really taking it a step beyond with this beta site. I can sincerely see a Digg v4-style disaster happening again if the beta site goes live, it's just that bad. The beta will drive away the few remaining users of value.

    I sure hope that Slashdot does the right thing, and puts an end to this beta site project. Nothing good will come out of it, aside from lessons about what not to do. Everything about the beta site is just plain bad. Terminate the project, throw away the code, and move on. And do this well before the beta site ever replaces the current one!

  5. Re:Eventually by rubycodez · · Score: 3, Insightful

    nonsense, this is result of very poor security and no obscurity, using credit card number or ss # is silliness. Transactions with private keys and verification are the way to do things, this is a solved problem that the governments and credit card companies are not using.

  6. Not "just as great", much greater by swillden · · Score: 2

    Insiders don't pose "just as great" a risk, they're by far the bigger risk.

    Nearly any attack vector usable by an outsider is also usable by an insider, but the converse is not true. This means that insiders are the primary risk to consider, in fact insiders are almost the only risk you need to think about. "Almost" because attack vectors aren't the only consideration, you also have to look at motivations and capabilities, and it may be that external attackers have motivations or capabilities that insiders do not. In most contexts, though, if you can protect against insiders, addressing the remaining external risks will be trivial.

    My day job is about securing a substantial database of very sensitive information, in a commercial context that has highly capable insiders. Insiders are, to a first approximation, the only attackers I think about. This sometimes annoys people who really want to say "But I can be trusted!" (but mostly are smart enough not to actually say it).

    In my previous job, I was a security consultant, working with many fortune 500 firms, and the same viewpoint was the right perspective nearly all of the time there as well. Of course, most clients didn't want to hear that, because protecting against insider threats is generally hard, tedious and unsexy.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  7. Defending against inside attackers is hard by joh · · Score: 3, Interesting

    Really. You'd need military-grade security and strictly planned access levels -- and then look at what Snowden did.

    Even more, in most companies there's just no way to implement this. Data is just what they're working with and often the most basic security is bypassed or never implemented just because it's too bothersome while being without any immediately visible gain.

    Come on, every admin out there will know that just too well. Security against attacks from the outside, yes. Security against attacks from the inside? Forget it. People need to work with the data and even just to make sure that people have only the access they really need often is so much bother that nobody wants to start with that.

    1. Re:Defending against inside attackers is hard by 93+Escort+Wagon · · Score: 2

      Really. You'd need military-grade security and strictly planned access levels -- and then look at what Snowden did.

      Seems like we read, a while back, that at least some of what he grabbed was off a Sharepoint server - not exactly military-grade security.

      --
      #DeleteChrome