Three of the country's major credit card firms ㅡ KB Kookmin Card, Lotte Card and NH NongHyup Card ㅡ are facing strong sanctions from regulators over the leak of personal information of tens of millions of their customers.
The prosecution said Wednesday it has indicted an official of the Korea Credit Bureau (KCB), a Seoul-based credit evaluation service provider for financial firms, for stealing the customer information from the databases of the three firms.
The official, identified as a 39-year-old Park, sold the data to an advertiser, and the information was used for marketing activities, the prosecution said.
This is one of the largest information theft cases here. Prosecutors suspect Park stole personal information of 53 million users of KB's cards, 26 million Lotte card users and 25 million NH customers.
"Taking the overlapped customers into account, we believe the number of victims exceeds 20 million," an official from the Financial Supervisory Service (FSS) said. "We are looking into how he accessed the database and copied the information."
The CEOs of the three card issuers as well as the KCB publicly apologized for the theft case.
"This is an unfortunate thing that should not have happened at a financial firm," they said in a joint statement. "We will take measures immediately to prevent a recurrence, and strengthen ethical standards for employees."
The FSS said it will investigate whether similar theft cases occurred at other firms. The KCB provides services to 19 financial firms, including card issuers and banks.
According to the bureau, Park was in charge of setting up a fraud detection system for the three card firms.
"As far as we know, Park was authorized by the firms to access the database. They trusted him because he has long maintained relationships with them," the FSS official said.
Besides the three firms, the country's largest card issuer, Shinhan Card, and Samsung Card have been working with the KCB to build similar anti-fraud systems, sources said.
This is the latest in a series of information theft cases that have taken place in the local financial sector.
The regulator recently ordered card firms to correct the practice of collecting "excessive" personal information from customers, saying that such data could be misused.
Last year, Meritz Fire & Marine Insurance and Hanwha Life Insurance were punished for a leak of customer information.
The local units of Standard Charted (SC) Bank and Citibank were also recently sanctioned for similar violations by their employees.