Lax Internal Security Management

The financial sector is loudly censured in the wake of the large-scale accidents of late including the hacking of Hyundai Capital and the network malfunctioning of the National Agricultural Cooperative Federation (NACF).

The banking network of the NACF broke down at around 5 pm, April 12, even before the Hyundai Capital scandal was somewhat cleared up. NACF customers have been unable to make neither a deposit nor a withdrawal, not to mention log on to the mobile banking services.

Hyundai Capital announced on April 10 that about 13,000 of its customers’ credit information including their credit ratings and passwords are hacked. The cause of the leak of personal information has been found to be the lack of customer database encryption.

Though the company is claiming that it has been thorough with regard to encoding, it was found that it halted its database encryption in 2009. At present, it is running its customer database with no encryption solution installed.

“Currently, the number of financial institutions adopting customer DB encryption solutions is close to zero and they are citing system overload as their excuse,” said an information security expert, adding, “Unfortunately, most local insurance companies are not aware of the necessity, not to mention banks.”

The reason could be attributable to the fact that when all of the keys, or data, managed by local financial companies are encoded, the rub is that the data processing speed is likely to slow down significantly. It means that doing so instead of encoding data in part could heavily compromise customer convenience.

The authorities concerned are also to blame for the under-promotion. At present, the country has laws stipulating database encryption but no specific, nationwide and enforceable standard in effect. Though it is true that the encoding is compulsory, detailed guidelines have yet to be set up.

“There have been no enforceable regulations as to database encryption with the only exception of password encoding, which is so important as to be made compulsory by the Electronic Financial Transaction Act,” said the Financial Supervisory Service (FSS). The FSS is planning to decide on the scope of encoding through talks with private security service providers.

Behind Network Malfunctioning

The recent NACF hacking accident has been found to break out first in the system operation room of its spinoff in charge of computing and data management. It has been also revealed that the file deletion command on an IBM employee’s laptop had been saved there at least a month earlier and was executed at the predetermined moment.

The NACF held a press conference on April 18 and said that the recent hacking scandal had been a sort of cyber terrorism. It based its claim on the fact that lots of attack orders had been issued, simultaneously and from within, across the entire system.

According to the financial institution, a file with a deletion order had been executed on one of its partner firms’ laptops at 4:56 pm, April 12. Then, it had shut down its networks and unplugged all of its servers in conformity with its BCP (business continuity plan). The NACF remarked that such a problem can be fully treated in five to 10 minutes in most cases by replacing the hardware but, at this time, the restoration had taken much more time because of the simultaneous deletion commands.

Nevertheless, local IT experts are not buying the explanation. “Different passwords are supposed to be typed into different servers, and in this case, data deletion commands were given to hundreds of servers in a very short span of time, which signals the security system was extremely frail,” said a city bank employee, continuing, “We cannot rule out the possibility of identical passwords set by the NACF under the pretext of management convenience.”

In the meantime, an increasing number of account holders are seeking compensatory damages. According to the NACF, 311,000 petitions were filed until 6 pm, April 18, 955 of those demanding indemnification. “Nine cases of them, worth 2.98 million won in total, have been treated well via mutual consents and the rest of the cases will be handled properly through talks,” said the institution.

Financial Sector’s Negligence of IT Investment

As far as information security and computer network management are concerned, the local financial industry has been found to be much more negligent than accepted.

At the NACF incident, nothing but a single laptop ruined 275 out of the institution’s 553 relay servers and the laptop belonged not to the main office but to one of its partner companies’. The computer was the administrator of no less than 320 NACF servers. In the meantime, Hyundai Capital brought the disaster upon itself by slacking at database encryption. Its investments in network security are standing at mere 2% of its total IT-related budget.

These days, online banking and financial services are increasingly cutting-edge and the danger of hacking is mounting up along with it, unfortunately. However, it has been found that local financial institutions had more IT-related employees in early 2000s than they do now.

“In the framework of IT shared center, staff working for a financial company’s securities, banking and insurance arms gather together and are flexibly dispatched when necessary, meaning, at least in theory, a single engineer can take care of two or three companies’ computing affairs,” said an executive member of a financial institution who asked not to be named. He continued, “However, it cannot but compromise each engineer’s expertise and professionalism, which has led to some in the sector outsourcing more than 50% of their computing works.”

In fact, the NACF has resorted entirely to the technical professionals of IBM, its server supplier, in dealing with the malfunctioning. In doing so instead of utilizing its own staff, the network restoration has taken more time.

Information Security on the Back Burner in Overall Industries

With the aftereffect of the hacking accidents in financial sector still lingering, it has been found that the country’s overall industries, including retail, medical and telecom, are much vulnerable to information security threats.

Many companies and businesses are making no bones about ignoring the government’s privacy protection advices. Hackers, on their part, are finding technical loopholes all around, letting them steal any customer data if they want. At a lot of hospitals, patients’ medical histories and physical data are left unprotected at all in spite of the guideline set up by the Ministry of Health and Welfare last year.

“Medical institutions with 500 or more sickbeds are recommended to run a committee of at least five members for privacy protection and go through a relevant audit every two or three years,” said Park Se-hyun, senior consultant at A3Security, adding, “Nevertheless, only a handful of hospitals are in compliance with it.”

He also remarked that EMR (electronic medical record) and PACS (picture archiving and communication systems) are adopted currently by over 50% and 95% of local hospitals of that size, respectively, which could engender a mega-scale leak of personal information.

In the meantime, the lax management of the information is so prevalent among department stores, discount stores and supermarkets, too. Some experts have even pointed out that unauthorized hackers can freely access their networks while their clerks doing their jobs with PDAs.

Unfortunately, the mobile industry is no exception to the growing menace of data exposure. Though the industry’s security systems are more advanced than others’ to some extent, the rapid spread of smart phones is luring hackers to wireless Internet networks’ soft spots, though unintentionally.

At present, some of local telecom companies are providing Wi-Fi security modules only to their subscribers, adding to the likelihood of information leak during mobile banking or trading.

Industry insiders are seeing those scandals in financial sector as a prelude to bigger calamities. They are warning that a series of catastrophes are sure to follow unless the Hyundai and NACF cases are treated thoroughly.