Residents in both the U.S. and South Korea were recently hit with a major security breach that let significant populations exposed to credit card theft. The two discrete incidents offer an insight into how such disparate nations react to similar crimes, and the cultural implications of each response.
In the U.S., Target's Point of Sales devices were infected with malware, which captured shoppers' credit card information for a period surrounding Black Friday, the largest shopping day of the year. At first, the retailer reported that information was stolen from 40 million accounts. Later, the company revised the number upwards to between 70 and 110 million accounts, including some users who say they had not patronized Target in a decade. It is assumed that each person only has one account, so the number of people affected is the same as the accounts hacked, up to one-third of Americans.
U.S. officials have been investigating the hack but so far it seems private security groups are leading the charge on moving the case forward. Security expert Brian Krebs broke the story, and others (some working with the government) learned that the malicious software originated in Russia and suspected a couple of teenage hackers of writing the code. So far, only two arrests have been made over the theft, and those were questionably related to the case.
In South Korea, more than 100 million credit card details were stolen by a contractor at the Korea Credit Bureau, which offers credit scores. The contractor apparently had access to the credit card companies' databases and removed them using a USB. South Koreans have an average of four credits each, and the information -- including social security numbers -- of 20 million South Koreans, roughly forty percent of the population, is estimated to have been stolen by the contractor. The contractor stole information from over three major credit card companies from December 2012 and apparently sold the information to loan companies who used it for marketing purposes. Though those affected have been assured that their money is safe, roughly 500,000 have opted to cancel credit cards since the breach was made public last week. At least two people, including the contractor, have been arrested for the theft.
Interestingly, the criticism has been apportioned differently in each nation. In the U.S., Target is shouldering the bulk of the blame. The retailer is facing a lawsuit from a bank seeking damages from Target because, it argues, the company's delayed announcement of the breach cost the bank money in terms of account closures, credit card reissues, and other related events. Target is facing nearly two dozen lawsuits from custom upset that Target did not protect their personal information.
It is reasonable, of course, for Target customers to be angry at the retailer, but it has been argued that Target is also a victim of the U.S.'s weak credit card protections. As the Associated Press, explains:
The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better. That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes. "We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."
In most countries, credit cards use digital strips that create unique codes for each use to store account information, deterring thieves from attempting to obtain card information. If easy to hack credit cards are the problem, outrage at a retailer could be misplaced.
In South Korea, on the other hand, outrage was directed at the credit card companies — even though the culprit worked for a credit agency:
The first class action lawsuit was filed against the three credit card companies late on Monday, a day after the FSS revealed the full scale of the theft, according to the law firm representing them. The victims are each claiming 110 million won ($103,400) in compensation. Lawyers said they expected more lawsuits to come, as internet chatrooms and social media seethed with complaints about the security failure.
In response to the incident, the chief executives of each of the three companies resigned, a move which would have perhaps have meant more in the U.S. than it does in South Korea, because it would be almost unheard of here. The Financial Times reports that
The mass resignations may bolster complaints, widespread among industry analysts and executives, that South Korean financial companies are excessively beholden to the instructions of the government and regulators... The frequent security breaches in South Korea’s financial sector have come despite a stringent regulatory regime that slows down online banking and shopping. All online transactions require the use of a government-provided “digital certificate” and a range of applications using Microsoft’s outdated ActiveX system.
Still, the South Korean government has said it will increase regulation within the financial services system in order to prevent future breaches. For their part, U.S. lawmakers are demanding more secure credit cards, but credit card companies for now remain largely protected, while Target will likely take the fall and bear the expense.
In South Korea, it seems this breach has been done and the damage assessed, while the Target case is ongoing and will likely drag out for months, if not years, in the courts. It remains to be seen how the case will shake out, but we have a feeling that strong words will not affect credit card companies as much as a lawsuit, and in order to see real change we might have to wait until the next major breach, or see if this one continues to get worse before it runs its course.
This article is from the archive of our partner The Wire.