South Korea is in shock again after the authorities uncovered another massive data breach, this time exposing personal information on a whopping 27 million people which was then used to swindle them out of online gaming funds.
The South Jeolla Provincial Police Agency arrested a 24-year-old surnamed Kim late last week along with 15 others for the alleged data breach plot, according to the local Joongang Daily.
Kim is said to have received 220 million separate items belonging to 27 million citizens – around three-quarters of the South Korean population – from a Chinese hacker he met appropriately enough in an online game in 2011.
He then used a password extractor to log-in to online game accounts to steal whatever virtual currency was in accounts.
For those accounts he could not crack, Kim apparently bought ID card details from a bent phone retailer in Daegu and changed the passwords himself using a reset.
Kim apparently earned 400 million won ($390,919) by hacking accounts on six major gaming platforms, giving around a quarter of his earnings to the unnamed Chinese hacker.
He’s also suspected of selling on that horde of personal information to others; namely to criminals involved in mortgage fraud and to illegal gambling advertisers.
This led in turn to secondary scams which are said by police to have caused financial losses in excess of two billion won ($1.9m), according to the report.
Police are apparently searching for seven other suspects, including the infamous Chinese hacker who effectively enabled the chain of events which led to this massive data breach.
Despite the high numbers breached in this incident, it’s not the worst such exposure of personal information in the world’s most wired nation.
In 2011, attacks directed at the Cyworld site and Nate portal managed to put at risk the account details of 35 million South Koreans.
Ifeanyi Nwabueze, technical consultant at F-Secure, told Infosecurity it’s no longer good enough to have “robust” security in name only, but also to “do the simple things right.”
“In other words, patch your software, update your AV, encrypt where needed, reduce complexity where possible and review security polices and contingency plans often,” he added.
“Cyber attackers are evolving their tactics so organizations need to up their game as well.”
Carl Leonard, senior manager at Websense Security Labs, agreed that the incident shows organizations are still failing on data security.
“To address this and to start to implement more intelligent data security strategies, businesses must consider the weakest points of entry within their organization,” he told Infosecurity.
“They can then bolster protection there and at the same time secure their most important data, then progressively work through the remaining data sets.”
Security expert Graham Cluley wrote in a blog post that often it is the Korean netizens who must suffer from the “insufficiently secure services” of organizations which should know better.
“Nobody has heard anything as of yet from any of Korea’s online gaming services. Although not much is known about the details of the breach itself, a simple password extractor should not be enough to hack into a large-scale gaming platform,” he added.
“While security professionals love to write about password security and how individuals can protect themselves, the onus is on the company to provide a safe and secure online environment for their gamers.”
Businesses must consider the weakest points of entry within their organizationCarl Leonard, Websense