Nexon case shows lax cyber security
Massive personal info leak follows breaches at Auction, SK Communications
By Kim Tong-hyung
Korea must have thought its computer security defense couldn’t get any worse, but it did.
Computer games publisher Nexon (www.nexon.com) earlier month was exposed as the latest online company here to allow cyber criminals to intrude its servers and flee with the sensitive information of tens of millions of users.
Firms previously lashed by data theft include online commerce giant Auction (www.auction.co.kr), the Korean unit of eBay, and social media provider SK Communications, the operator of Nate (www.nate.com) and Cyworld (www.cyworld.com).
Korean companies and government officials have been woefully at a loss in privacy-related issues, with the occasional step forward being a leap from a painful shot in the foot.
At the core of the problem is that websites here have been permitted to zealously collect more personal information than they could possibility handle.
But despite this audacious lack of responsibility, authorities are moving to require the companies to squeeze even more data out of their users in attempting to control Web behavior. Critics, held hostage by policymakers and their circular arguments over the years, appear to be too beaten down emotionally and intellectually to stand up and scream: Are you serious?
``How many more massive data leaks will it take to finally convince everyone that the mountain of personal data floating out there really shouldn’t be there? It’s incredible that the government continues to let private companies collect this information and use it to generate profit when the data should be used for administrative purposes only,’’ Jang Yeo-gyeong, a computer security expert at activist group Jinbo Net, said.
The hacking attack at Nexon compromised more than 13 million accounts, many of which belonged to underage users, but at least the company could say that the country has seen worse.
The data leak at SK Communications in August breached more than 35 million accounts, a mind-boggling total for a country that has about 50 million people and an economically-active population of 25 million.
The stolen information included names, passwords, phone numbers, e-mail addresses, and most alarmingly, resident registration numbers, the country’s equivalent to social security numbers.
Auction was battered with a slew of class-action lawsuits after Chinese hackers stole the data of 11 million users in 2008. And three people were arrested last year for selling the personal information of nearly 20 million subscribers to Shinsegae Department Store’s online service and social networking site I Love School (www.iloveschool.co.kr).
Virtually all Korean Internet services require users to submit their resident registration numbers, not only from encrypted communications like e-commerce and online banking, but also for casual tasks like e-mail and posting comments on blogs and message boards. Games companies like Nexon are required to collect these codes to control game usage among children.
It could be said that, at least from a security standpoint, resident registration numbers are fundamentally flawed. The 13-digit code exposes a person’s sex, date of birth and site of registration, unlike comparable systems in the United States and Japan, which are based on random numbering.
Not that these countries have ever asked their Internet users to submit their social security codes to get an e-mail account.
In the hands of hackers, the codes can become the master key that opens every door and allows them to steal identities based on a lifetime of Internet use by their unassuming victim.
The compromising of personal data is also blamed for fraudsters running wild. “Phishing’’ is becoming an increasing problem. These scams use phones, e-mail and instant messaging services to lure people into revealing personal details such as bank account numbers and passwords, or even into wiring money.
Critics like Jang insist that anything less than a surgical removal of national identification numbers from Internet systems would fail to effectively defuse the country’s deep-rooted computer security problems. Authorities, however, seem to be moving in the direction of increasing the amount of personal data collected by websites.
Nexon, despite its ineptitude in data protection, has every excuse to clang on to its files of personal identification numbers as policymakers have been imposing limits on how much time youngsters can spend playing their favorite online computer games.
The online gaming curbs, which government officials claim are inevitable for combating compulsive gaming and addiction among young gamers, prevent users under the age of 16 from playing between midnight and 6 a.m. All gamers under the age of 18 are also required to make verifiable real-name registrations when subscribing to online game services.
And since being kicked in the teeth by bloggers early on over its supposed ineptitude in economic policies, the Lee Myung-bak government has been introducing a number of steps to reduce online anonymity at websites and chat room in a crusade to curb ``cyber bullying.’’