Anatomy of a Breach

Anatomy of a Breach: Korea Credit Bureau — 20 Million Records Stolen by a Temporary Consultant

> series: anatomy_of_a_breach —— part: 062 —— target: 3_korean_credit_card_companies —— records: 20,000,000 —— method: usb_drive<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2014 12 min read
data-breach korea-credit-bureau insider-threat 20-million credit-cards usb-drive consultant series
Breach #062

40% of South Korea's population. Stolen on a USB stick by a temp.

In January 2014, South Korean prosecutors arrested a temporary IT consultant at the Korea Credit Bureau (KCB) — a credit scoring agency similar to the UK's Experian or Equifax — who had stolen the personal and financial data of approximately 20 million people from three major credit card companies: KB Kookmin Card, Lotte Card, and NH Nonghyup Card. The consultant, who had been hired to work on system upgrades, had simply copied the data to a USB drive over a period of months.

The stolen data included names, social security numbers (Korean resident registration numbers), phone numbers, addresses, credit card numbers, and credit scores. At 20 million records — representing approximately 40% of South Korea's 50-million population — it was one of the largest insider data thefts ever recorded. The breach triggered a national crisis: millions of South Koreans cancelled their credit cards, the CEOs of all three credit card companies offered their resignations, and the Korean government introduced emergency data protection legislation.

The Insider Pattern — Global
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

USB drives and insiders: the breach that crosses borders.

The Korea Credit Bureau breach was the fourth major insider data theft in this series, following T-Mobile UK (2009), Chelsea Manning (2010), and Vodafone Germany (2013). In every case, the pattern was identical: an authorised user with legitimate access used that access to extract bulk data to portable media without detection. And in every case, the controls that would have prevented or detected the theft — USB port restrictions, data loss prevention, behavioural monitoring, and access minimisation — were absent.

USB Drive — Again
Like the <a href="/blog/anatomy-of-a-breach-gmp-memory-stick">GMP memory stick</a> (2012) and the <a href="/blog/anatomy-of-a-breach-mod-laptop-theft">MoD laptop</a> (2008), the data was exfiltrated on a USB drive. Technical controls that restrict USB access to approved encrypted devices — mandated by <a href="/cyber-essentials">Cyber Essentials</a> — would have prevented the theft.
Contractor/Consultant Risk
The thief was a temporary consultant — not a permanent employee. Contractors and consultants often receive the same database access as permanent staff but without the same vetting, monitoring, or loyalty. This parallels the <a href="/blog/anatomy-of-a-breach-target">Target breach</a> where an HVAC contractor's access was the entry point. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses contractor access controls.
Months of Theft Without Detection
The consultant copied data over a period of months without any alert, any audit flag, or any monitoring intervention. <a href="https://www.socinabox.co.uk/blog/data-loss-prevention-small-business">Data loss prevention</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects bulk data extraction in real-time — the capability that was absent at KCB.
National-Scale Impact
20 million records from a population of 50 million meant nearly every other person in South Korea was affected. The breach prompted emergency legislation, mass card cancellations, and executive resignations — consequences that demonstrate the existential risk data breaches pose to organisations handling population-scale data. For UK financial services firms covered in our <a href="/blog/sector-under-the-microscope-financial-services">sector analysis</a>, the parallels are direct.
Defence

Controls that prevent USB-based insider theft.

The Korea Credit Bureau breach was preventable with controls that are standard components of modern security programmes: USB port restrictions (allowing only approved encrypted devices), data loss prevention monitoring (detecting bulk data export), behavioural analytics (flagging anomalous database access patterns), least-privilege access (limiting consultant access to the minimum required), and audit logging (providing a forensic trail of all data access).

Cyber Essentials certification mandates removable media controls. Our penetration testing validates these controls and assesses insider threat scenarios. SOC in a Box provides the behavioural monitoring and data loss prevention that detects bulk data extraction. And UK Cyber Defence provides forensic investigation when insider theft is suspected.

Insider Threat Prevention

A temp with a USB stick stole 40% of South Korea's personal data. Could it happen in your organisation?

<a href="/cyber-essentials">Cyber Essentials</a> mandates USB controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for bulk data extraction. Our <a href="/penetration-testing/infrastructure">penetration testing</a> tests insider threat scenarios.

Commission an Internal Assessment Next: Morrison's Insider
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2022

Anatomy of a Breach: Cash App — 8.2 Million Customers Exposed by a Former Employee

Breach #162. In April 2022, Block Inc. (formerly Square) disclosed that a former employee had accessed reports containing the personal data of approximately 8.2 million current and former Cash App Investing customers — after their employment had ended. The accessed data included full names, brokerage account numbers, portfolio values, and stock trading activity. The breach highlighted the persistent insider threat from former employees whose access was not revoked upon departure — a basic access management failure that Cyber Essentials explicitly addresses.

data-breach cash-app
11 min read
Anatomy of a Breach 31 May 2020

Anatomy of a Breach: EasyJet — 9 Million Customers and 2,208 Credit Cards Exposed

Breach #137. In May 2020, EasyJet disclosed that the personal data of approximately 9 million customers — including email addresses and travel details — had been accessed in a cyber attack, along with the credit card details of 2,208 customers. The attack, described by EasyJet as a 'highly sophisticated' intrusion, had been discovered in January 2020. The breach came during the COVID-19 pandemic, when airlines were already under severe financial stress, and resulted in a £15,000 class action claim per affected customer being filed. For the UK's largest budget airline, the breach added cybersecurity liability to an already existential business crisis.

data-breach easyjet
12 min read
Anatomy of a Breach 30 September 2019

Anatomy of a Breach: Ecuador — 20.8 Million Citizens Exposed, Including the Dead

Breach #129. In September 2019, security researchers at vpnMentor discovered an unsecured Elasticsearch server containing the personal data of approximately 20.8 million Ecuadorians — more than Ecuador's entire living population of 17 million, because the database also included records of deceased citizens. The exposed data included names, dates of birth, national ID numbers, tax identification numbers, employment information, family relationships, car registration details, and bank account information. The server was operated by Novaestrat, a local analytics company, and required no authentication to access.

data-breach ecuador
12 min read
All Posts Get in Touch