Briefing

Home>Press>Briefing

    Measures to Prevent Reccurrence of Personal Data Breach
    February 14, 2014

Measures to Prevent Reccurrence of Personal Data Breach

January 22, 2014
FSC Chairman Shin Je-Yoon

First of all, I express deep apology for causing public concern and inconvenience due to the personal data leak accident.

The government is focusing all our efforts in relieving the social chaos and the public anxiety.

We promise that such accident would never happen again.
I will brief you on the details of the data leak accident.

Details of the accident.

The police confirmed that about 100 million leaked information from the three credit card companies has not been circulated.

The employees of KCB and marketing firms were arrested and all data was confiscated beforehand.

According to the FSS, the breached data includes personal details of credit card customers and bank clients

and even the information of those who cancelled transaction.

Personal information such as annual income was leaked

but credential details such as PIN numbers and CVC codes were not included.

Despite government's swift countermeasures,

public anxiety intensified during the process of informing each clients about the accident.

Since all information has been confiscated before being circulated,

there is no possibility of further financial losses.

The investigative authorities have confirmed several times

that the leaked information was not circulated in the market.

Vice Minister of Justice will explain in details after the briefing.

During the past year since the initial point of credit card data leak,

there hasn't been single reported cases of losses due to the accident.

Moreover, since the issue rose above the surface recently,

not a single case of further loss has been reported so far.

There hasn't been any case of financial loss due to the accident.

According to the FSS investigation, fraudulent use of the leaked data is virtually impossible

because credential information such as PIN number and CVC code has not been breached.

Therefore, there is no need for the financial customers to be anxious at all.

Once again, there has not been a single case of loss resulting from fraudulent use of leaked data.

Aside from the recent accident, the government will devise and introduce additional measures

to ensure customers to use their credit cards without any worries.

In case of any damage resulting from fraudulent use of credit cards,

the credit card companies will fully compensate all financial losses.

Moreover, all credit card firms will provide notices on all credit card payments.

We will consider additional identity validation process for some merchants

that only require credit card numbers and expiry dates.

Stringent measures to prevent any attempt for fraudulent transactions amid widespread concerns will be implemented.

Any financial transactions exceeding 1 million won will require additional identity validation process for the time being.

The government will establish electronic financial fraud response system by coordinating with the relevant authorities

and immediately block internet websites and phone numbers used for financial fraud.

Moreover, the FSC and the FSS will operate a daily monitoring task force for 24 hours jointly with credit card companies.

Credit card companies will provide any necessary means to minimize customer inconvenience.

Credit card companies will operate emergency system and extend working hours until late evening and even during the weekends.

All available manpower will be dispatched to swiftly respond to customer needs if necessary.

To minimize customer inconvenience when contacting call centers, card companies will reinforce call center employees and extend phone lines.

Credit card companies are working on their website to directly link customers to the page for re-issuing cards from personal data leak inquiry system.

They are also increasing the number of computer servers and enhancing internet connection conditions.

The number of credit card manufacturers and shipping agencies will be increased so that customers can receive newly-issued cards more quickly.

The authorities will thoroughly probe into the accident and strictly punish those who are responsible.

The card data breach was a man-made disaster that could have been prevented by complying with basic security procedures.

Other credit card companies could save themselves from the accident because they faithfully followed security regulations.

The government will impose the strongest punitive measures possible under the current to the responsible credit card companies within February,

and related employees will also be held responsible.

If such accident occurs again, such company will not be shut down and never be able to return to the financial industry again.

The government will respond systematically to settle the data leak accident swiftly.

The authorities will operate a 24-hour response team and initiate intensive crack down on illegally collecting and circulating personal details.

Moreover, to relieve public anxiety, the government will provide accurate and credible information about the accident.

The FSC and credit card companies have posted response manual and frequent questions and answers for customer convenience on the website.

Details are on the next page of the distributed document.

Measures to prevent reoccurrence.

Basically, damages incurred from data leak will be minimized by mandating financial firms to hold minimum necessary amount of personal data.

Financial company's current practice of collecting and storing customer data will also be improved.

Demand for illegal personal information will be rooted out

while strengthening the responsibility of financial firms and related executives on personal information protection.

Administrative sanctions and punishments will be significantly enforced and financial penalties will be charged.

The government will review the legitimacy of personal information held by financial firms.

The authorities will overhaul the current conditions of customer information management

and require financial companies to collect and store necessary details only.

Collecting and using personal data for marketing purposes will be strictly prohibited.

Financial companies will only be permitted to keep customer details for up to 5 years since the contract expiry.

Personal information of expired clients will also be strictly protected.

Personal details of the customers with contract expiry will be kept and managed separately

and the usage of such information for marketing purposes will be strictly prohibited.

Personal data sharing practices among affiliates will be improved.

Use of personal information that has been exceptionally permitted under the Financial Holding Companies Act will be strictly limited.

Personal credit information of previous customers kept by spin-off companies will be managed separately.

The government will improve personal data management and circulation practices.

First, the government will significantly strengthen the authority and responsibility of those in charge of personal information protection.

Big enough financial companies will be required to appoint the person in charge of credit information protection as a board member

and the person will be mandated to regularly report to the CEO about important details related to personal data protection.

The government will improve internal control system and strengthen management of contractors.

The FSS will conduct regular and thorough inspections on financial companies to check whether they are faithfully complying with security measures.

Responsibility scope of outside contractor's CEO and CISO shall be clarified.

Portable storage devices from outside including notebook computers and USB sticks will be prohibited inside financial companies.

Regulations on providing personal data to a third party will be strengthened.

When signing an agreement to the provision of personal data, financial firms will be required to clearly state the terms of agreement.

Provision of personal information will only be permitted when financial companies clearly state receiver of the information.

Only personal information required for credit card optional services will be allowed to be provided to a third party.

Moreover, the information acquired by a third party will be allowed to be used only for the initial term stated in the agreement.

The regulators will root out the demand for illegally circulated personal information.

The regulators will conduct a thorough analysis on loan agent system and eradicate the market for illegally circulated personal data.

Companies purchasing illegal personal data will be imposed with equally strong punitive measures as those illegally circulating personal information in the market.

The government will consider introducing new punitive fine system.

Companies selling or illegally using personal information will be punished with significantly strengthened financial sanctions.

Doing so is expected to prevent illegal acts. The amount of fine will be increased as well.

Level of punishment against personal data theft will be significantly strengthened.

Current level of punishment under the Use and Protection of Credit Information Act and Electronic Financial Transaction Act will be strengthened to the maximum level.

Sanctions will also be strengthened to hold financial companies responsible for personal information management.

All executive officers will be held responsible for data leak accident.

The authorities are also considering to levy sanctions such as business suspension to credit information firms as well.

Future plan.

The measure to normalize current conditions will immediately take effect

and we will confirm and announce the details of the measures introduced today within February after discussion by the task force.

Revisions to related acts will be completed within the first quarter.

We will try to pass other related rules and regulations during the provisional session of the National Assembly in February.

A country poor in personal information protection can never be an advanced financial powerhouse.

Unlike typical face-to-face transactions, network based financial transactions can not exist without trust

that financial companies would protect customer's personal information.

We will take this as an opportunity to completely overhaul financial companies' current conditions of

collecting, circulating, managing, storing, and discarding client information.

Furthermore, we will make sure that such accident never happens again.

Moreover, we will exert the utmost efforts to bring up the security and credibility of Korea's financial system to the next level.

Once again, we express our deepest apology to all financial consumers for causing concerns due to the data leak accident.