Remember the great Target Stores credit card hack of 2013? 110 million Target customers, including myself, had their credit card information put at risk and/or stolen November and December of 2013 because of Target’s crummy Internet security practices.
In typical American fashion, nobody lost their job or even got yelled at because of this massive act of negligence, which resulted in the largest theft of credit card information in world history.
Sure, there were some hearings on Capitol Hill the following February, but not much happened, outside of Target bigshot John Mulligan saying he was “deeply sorry.
Contrast that with how things are handled in South Korea. The January following the Target hack, news came out that an IT employee of the Korea Credit Bureau had been arrested for stealing account information from the customers of three South Korean credit card companies and selling it to marketing companies.
The managers of those marketing companies were also arrested. Over 20 million customers, 40 percent of the entire population, were affected.
Seems the credit card companies had been storing the account information in an unencrypted database, an act of criminal negligence in the payment card industry. As such, the thief simply copied it all to a USB flash drive and easily sold it to his accomplices.
The fallout from this was swift and decisive. Gov. Choi Soo-hyun, chief regulator of South Korea’s Financial Supervisory Service, promised stern punishment of the responsible parties.
“We will hold them fully responsible for the data leak if their sharing of client data among affiliates and lax internal control turn out to be the cause,” he said. The following week, regulators also banned the three credit card companies from adding new customers, or offering new services or products for the next three months.
The reaction from the Korean credit card companies was stunning.
There was no beating around the bush, no evasive answers at mealy-mouthed Congressional hearings, no covering up and dodging the issue, no making excuses about how they had been out-smarted by genius super-hackers, no running away from responsibility.
The three credit card firms said they would fully cover any financial losses suffered by their customers from scams linked to the data leak.
Then, the real taking of responsibility began to happen: top executives at the three credit card companies, and some of the affiliated banks, began to resign.
First, the upper management team of KB Financial offered their resignation en masse. Then, Sohn Kyoung-ik, chief of Nonghyup’s credit card business division, also resigned. Officials from Lotte Card Group followed suit.
Over 37 banking and credit card company officials tendered their resignations, taking full responsibility for the incident.The pictures online of the press conferences, where the officials appeared publically to resign, were quite striking.
Rows of neatly-dressed bankers and credit card bigwigs in their dark-colored business suits, bowing deeply from the waist, heads hung in profound shame, disgrace and humiliation.
Here we are, almost three years after the great Target credit card hack, with the benefit of hindsight, looking back at the many months of hem-hawing, blame-gaming, finger-pointing and question-avoiding that finally led to a few things have sorted themselves out.
Target CIO (Chief Information Officer, the person usually responsible for security) Beth Jacob was fired/resigned after Target CEO Gregg Steinhafel announced Target was overhauling its information security practices. Then, Target announced that Steinhafel was also resigning, stating that Steinhafel “held himself personally accountable” for Target’s loss of credit card and personal information for 110 million Target shoppers.
Will any of this actually lead to change for the better? Clearly, the two Target resignations pale in comparison to South Korea’s, and come only after clear signs that the 2013 holiday-season hack affected Target’s bottom line. Target’s profits dropped 5 percent immediately after the hack, and its stock dived almost 20 percent compared to the previous year; overall profits were off more than 40 percent.
That certainly must have gotten the attention of Target’s Board of Directors, who engaged in “extensive discussions” with CEO Steinhafel before his resignation was announced.
Perhaps massive profit loss is what it takes to make people regard Internet crime and computer security seriously.