By Kim Tong-hyung
Staff Reporter
Retail giant Shinsegae is involved in the country's largest-ever identity theft case, and yet critics wonder whether the company is more concerned about saving face than tightening the loose ends of its privacy management.
The Seoul Metropolitan Police Agency is currently questioning three people on charges of stealing and selling the private information of more than 20 million people subscribed to Shinsegae's online services, the I Love School (www.iloveschool.co.kr) social media site and other online destinations.
According to police, the suspects allegedly purchased the data from a China-based hacker and resold it to telemarketing firms and other buyers through the Internet.
It remains to be seen whether the fallout of the data leak will lead to a public relations disaster for Shinsegae, which counts about 3.2 million of its customers among the victims of the cyber crime.
Previous privacy infringement cases have resulted in a slew of class-action lawsuits for the involved companies, including Auction (www.auction.co.kr), eBay's Korean unit, which failed to protect the data of nearly 11 million of its customers from Chinese hackers in 2008.
It's likely that Shinsegae will see a similar public backlash and legal action, and the company clearly isn't winning any sympathy with its supposedly loose handling of the incident.
Despite being tipped off by police during the earlier part of the investigation, Shinsegae waited days before notifying customers through e-mails that their private information had been compromised.
And aside of issuing a public notice saying it was "aware" of the data leak, the company has yet to reveal plans to strengthen its computer security defense or protect its customers from damage related to the data leak, including fraud and identity theft.
"At first, I was shocked to discover my personal information had been compromised. I thought it happened to other people, but not me," said a 43-year-old office worker in Seoul, who said she "used to" like the convenience of online shopping.
"I have spent an entire afternoon changing passwords on other Web sites, but I am not certain if I covered them all. Now, I probably won't use online shopping sites if there are other alternatives, and I am incredulous that a company as big as Shinsegae could not protect its database."
Shinsegae officials claim that they have been successfully protecting customers' data after introducing a code system to protect personal information in 2006, and claims that its database was breached only in 2004. However, some security experts question whether it's plausible to believe that Shinsegae didn't know about the identity theft when it occurred back in 2004.