Suspected GS Caltex insider steals information on 11,000,000
Technorati Tag: Security Breach
Date Reported:
9/5/08
Organization:
GS Caltex Corporation
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"more than 11,000,000"
Types of Data:
"names, resident registration numbers, home and office addresses, home and mobile phone numbers and e-mail addresses"
Breach Description:
"Police are investigating how two compact discs (CDs), storing the private information of more than 11 million people, including high-profile politicians and government ministers, ended up in garbage pile in southern Seoul."
Reference URL:
The Korea Times
The Hankyoreh
Comtex via TradingMarkets.com
Report Credit:
Kim Tong-hyung, The Korea Times
Response:
From the online sources cited above:
Police launched an investigation into a case in which the personal information of more than 11 million of GS Caltex Corp.’s customers was leaked.
[Evan] This is a huge breach in terms of the number of people affected. The entire population of South Korea is 48,379,392 (July 2008 est. - Source: CIA The World Factbook)
On September 5, the Cyber Terror Response Center, a police unit in charge of online crimes, said it is investigating how two compact discs containing personal information on some 11.19 million people was leaked from inside GS Caltex, the nation’s No. 2 oil refiner.
The two compact discs were found on a street in Seoul’s Gangnam district, where many karaoke bars are located.
According to the police unit, the compact discs contain 76 Excel files in a folder labeled "GS Caltex Customer List," which includes personal information on customers who were born between 1940 and 1992.
The files included the customers’ names, resident registration numbers, home and office addresses, home and mobile phone numbers and e-mail addresses.
In addition, some of the files have information on its customer’s companies.
Both compact discs contain personal information on customers living all over the nation, including in Seoul, Gyeonggi, Gyeongsang and Jeolla provinces and Jeju Island.
Among the customers listed were government ministers, presidential aides, senior officials with the police and the National Intelligence Service as well as some TV celebrities.
[Evan] If the sheer number of people affected doesn't get attention, the status of some of the people should.
The country’s defense minister, police chief, No.2 spy agency official and National Assembly speaker were just a few names among the 11.19 million plus contained on the CDs, a number nearly equivalent of South Korea’s entire adult population
The case was first reported by online news provider Nocutnews.
"A office worker notified us that he had accidentally found the compact discs in a garbage can in a backstreet on his way home. We asked GS Caltex to confirm it on September 4," said a Nocutnews official
[Evan] This is a little unusual. Was the CD or DVD just sitting on the top of the garbage, or was the office worker looking through the garbage "on his way home"? How many office workers decide to stop and look through a dumpster on their way home?
GS Caltex asked police to investigate the case on the morning of September 5.
Earlier that day, police sent a team of officers to GS Caltex to identify whether and how the personal information had been leaked.
[Evan] Inside job.
Police said they had confirmed that one of the two compact discs is a sample disc that contains duplicated files and they are now investigating whether the sample disc had been copied for its possible sale.
[Evan] This is a problem. Once control of sensitive information is lost, there is no telling what happens to it. Copies being made and distributed is one of the most prevalent fears.
GS Caltex held a press conference on the afternoon of September 5.
"After asking police to investigate the case, we conducted an internal probe and concluded that most (of the leaked data) is identical to the company’s customer data," a GS Caltex official said.
"The customer database is used for a bonus membership and mileage program, so it does not include information on credit card numbers or bank accounts. So far, there have been no signs of hacking and no reports of blackmailing or threats for money."
[Evan] No signs of hacking leads more credence to an inside job.
GS Caltex said it had "apologized for causing customers to worry" and resolved to "handle the case transparently and fairly," on behalf of its customers, while keeping an eye on the outcome of investigation.
The fallout for GS Caltex, which would obviously be worse than any other previous case, might cause irrevocable damage to the company. GS Caltex executives are now preparing for the worst.
GS Caltex Vice President Kim Myung-hwan tried to downplay the significance of the leak.
[Evan] Consider the source. Obviously Mr. Myung-hwan has a vested interest in downplaying the significance.
"We don’t keep the financial information of our customers, including bank account numbers and credit card information in our database so even if somebody had access to the information on the CDs, they wouldn’t be able to cause any damage with just that," said Kim
[Evan] Not true. Information is very powerful, especially information that is meant to be confidential.
"Aside of the resident registration numbers, the CDs didn’t have anything that cannot already be found on the Internet," he said. Critics say this is stretching the truth since resident registration numbers are the Korean equivalent of social security codes.
UPDATE - 9/8/08
Four suspects are arrested in regards to the breach
Police investigating the country's largest-ever data leak case at GS Caltex Corp. said Sunday that they have arrested four people, including two employees of the oil refiner, for allegedly releasing personal information of some 11 million customers.
[Evan] According to an earlier news report, a GS Caltex official claimed that only 12 people in the entire organization had access to this information. If this claim is true, then GS Caltex should be commended for restricting access to only those people that need access to complete their job tasks. Restricting access (along with other evidence) significantly contributes to accountability.
It was actually one of the suspects who tipped the media, police said, as they believed that the value of the data would rise if the leak gained public attention.
[Evan] So many criminals are so stupid. These people are fools.
Two of the suspects had access to the customer database as employees of a GS Caltex call center subsidiary -- a 28-year-old man identified by his family name Jeong and a 30-year-old female employee identified as Bae. The other two were identified as Wang and Kim, both in their 20s.
[Evan] What are the penalties in South Korea for these types of crimes? I can't imagine that these four people will be held in much regard by the general public.
The three male suspects manufactured six copies in DVD through a computer at Jeong's office between July and August. Bae organized the information in Excel files, police said.
[Evan] It sounds like the police responded quickly and appropriately based on the very few facts we have about this case. I am impressed with how quickly they tracked the criminal activity, built a case, and arrested those suspected of being responsible. Now lets hope that there aren't gaps.
The probe has mostly focused on company insiders with access to customer data since there is no evidence of hacking, investigators said.
Trying to placate public criticism, GS Caltex swiftly ran a front page public apology in newspapers and operated a round-the-clock customer call center over the weekend
Commentary:
There have been some very significant breaches that come as a result of unauthorized insider activity, and this is yet another in a troubling trend. Preventing insider attacks is a huge challenge for information security professionals. Employee background checks (at hire and ongoing), segregation of duties, training and awareness, job rotation, etc. can only go so far and then we are left with detection. It is important to build detection into the gaps of prevention.
Past Breaches:
Unknown
Date Reported:9/5/08
Organization:
GS Caltex Corporation
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"more than 11,000,000"
Types of Data:
"names, resident registration numbers, home and office addresses, home and mobile phone numbers and e-mail addresses"
Breach Description:
"Police are investigating how two compact discs (CDs), storing the private information of more than 11 million people, including high-profile politicians and government ministers, ended up in garbage pile in southern Seoul."
Reference URL:
The Korea Times
The Hankyoreh
Comtex via TradingMarkets.com
Report Credit:
Kim Tong-hyung, The Korea Times
Response:
From the online sources cited above:
Police launched an investigation into a case in which the personal information of more than 11 million of GS Caltex Corp.’s customers was leaked.
[Evan] This is a huge breach in terms of the number of people affected. The entire population of South Korea is 48,379,392 (July 2008 est. - Source: CIA The World Factbook)
On September 5, the Cyber Terror Response Center, a police unit in charge of online crimes, said it is investigating how two compact discs containing personal information on some 11.19 million people was leaked from inside GS Caltex, the nation’s No. 2 oil refiner.
The two compact discs were found on a street in Seoul’s Gangnam district, where many karaoke bars are located.
According to the police unit, the compact discs contain 76 Excel files in a folder labeled "GS Caltex Customer List," which includes personal information on customers who were born between 1940 and 1992.
The files included the customers’ names, resident registration numbers, home and office addresses, home and mobile phone numbers and e-mail addresses.
In addition, some of the files have information on its customer’s companies.
Both compact discs contain personal information on customers living all over the nation, including in Seoul, Gyeonggi, Gyeongsang and Jeolla provinces and Jeju Island.
Among the customers listed were government ministers, presidential aides, senior officials with the police and the National Intelligence Service as well as some TV celebrities.
[Evan] If the sheer number of people affected doesn't get attention, the status of some of the people should.
The country’s defense minister, police chief, No.2 spy agency official and National Assembly speaker were just a few names among the 11.19 million plus contained on the CDs, a number nearly equivalent of South Korea’s entire adult population
The case was first reported by online news provider Nocutnews.
"A office worker notified us that he had accidentally found the compact discs in a garbage can in a backstreet on his way home. We asked GS Caltex to confirm it on September 4," said a Nocutnews official
[Evan] This is a little unusual. Was the CD or DVD just sitting on the top of the garbage, or was the office worker looking through the garbage "on his way home"? How many office workers decide to stop and look through a dumpster on their way home?
GS Caltex asked police to investigate the case on the morning of September 5.
Earlier that day, police sent a team of officers to GS Caltex to identify whether and how the personal information had been leaked.
[Evan] Inside job.
Police said they had confirmed that one of the two compact discs is a sample disc that contains duplicated files and they are now investigating whether the sample disc had been copied for its possible sale.
[Evan] This is a problem. Once control of sensitive information is lost, there is no telling what happens to it. Copies being made and distributed is one of the most prevalent fears.
GS Caltex held a press conference on the afternoon of September 5.
"After asking police to investigate the case, we conducted an internal probe and concluded that most (of the leaked data) is identical to the company’s customer data," a GS Caltex official said.
"The customer database is used for a bonus membership and mileage program, so it does not include information on credit card numbers or bank accounts. So far, there have been no signs of hacking and no reports of blackmailing or threats for money."
[Evan] No signs of hacking leads more credence to an inside job.
GS Caltex said it had "apologized for causing customers to worry" and resolved to "handle the case transparently and fairly," on behalf of its customers, while keeping an eye on the outcome of investigation.
The fallout for GS Caltex, which would obviously be worse than any other previous case, might cause irrevocable damage to the company. GS Caltex executives are now preparing for the worst.
GS Caltex Vice President Kim Myung-hwan tried to downplay the significance of the leak.
[Evan] Consider the source. Obviously Mr. Myung-hwan has a vested interest in downplaying the significance.
"We don’t keep the financial information of our customers, including bank account numbers and credit card information in our database so even if somebody had access to the information on the CDs, they wouldn’t be able to cause any damage with just that," said Kim
[Evan] Not true. Information is very powerful, especially information that is meant to be confidential.
"Aside of the resident registration numbers, the CDs didn’t have anything that cannot already be found on the Internet," he said. Critics say this is stretching the truth since resident registration numbers are the Korean equivalent of social security codes.
UPDATE - 9/8/08
Four suspects are arrested in regards to the breach
Police investigating the country's largest-ever data leak case at GS Caltex Corp. said Sunday that they have arrested four people, including two employees of the oil refiner, for allegedly releasing personal information of some 11 million customers.
[Evan] According to an earlier news report, a GS Caltex official claimed that only 12 people in the entire organization had access to this information. If this claim is true, then GS Caltex should be commended for restricting access to only those people that need access to complete their job tasks. Restricting access (along with other evidence) significantly contributes to accountability.
It was actually one of the suspects who tipped the media, police said, as they believed that the value of the data would rise if the leak gained public attention.
[Evan] So many criminals are so stupid. These people are fools.
Two of the suspects had access to the customer database as employees of a GS Caltex call center subsidiary -- a 28-year-old man identified by his family name Jeong and a 30-year-old female employee identified as Bae. The other two were identified as Wang and Kim, both in their 20s.
[Evan] What are the penalties in South Korea for these types of crimes? I can't imagine that these four people will be held in much regard by the general public.
The three male suspects manufactured six copies in DVD through a computer at Jeong's office between July and August. Bae organized the information in Excel files, police said.
[Evan] It sounds like the police responded quickly and appropriately based on the very few facts we have about this case. I am impressed with how quickly they tracked the criminal activity, built a case, and arrested those suspected of being responsible. Now lets hope that there aren't gaps.
The probe has mostly focused on company insiders with access to customer data since there is no evidence of hacking, investigators said.
Trying to placate public criticism, GS Caltex swiftly ran a front page public apology in newspapers and operated a round-the-clock customer call center over the weekend
Commentary:
There have been some very significant breaches that come as a result of unauthorized insider activity, and this is yet another in a troubling trend. Preventing insider attacks is a huge challenge for information security professionals. Employee background checks (at hire and ongoing), segregation of duties, training and awareness, job rotation, etc. can only go so far and then we are left with detection. It is important to build detection into the gaps of prevention.
Past Breaches:
Unknown
Posts Atom 1.0
Comments