Industry News

Online gaming data breach affects millions in South Korea

South Koreans must handle the consequences of yet another enormous data breach, this time from online gaming.

A staggering three-quarters of the entire South Korean population was affected, with ages ranging from 15 to 65. It would be an impressive enough statistic to learn that three-quarters of South Koreans are involved in some sort of online gaming platform to begin with, but this data breach stretches beyond that.

Korea JoongAng Daily reports authorities have already made 16 arrests related to the leak. A 24-year-old man with the surname Kim is apparently suspected as a key player in the illegal receipt of over 220 million identifying pieces of information. Kim handled names, account names and passwords, and even residential registration numbers, all of which he received from a Chinese hacker he met – you guessed it – in an online game.

Kim appears to have largely dealt in online game currency, using a password extractor to automate the login process with his sizable cache of account data. You have to admire his persistence; when the extractor was not sufficient to gain access into accounts, Kim purchased identifying information from a mobile phone vendor in order to manually reset their passwords. Kim gained nearly $400,000 from six online games and shared just under $130,000 to his Chinese hacking partner.

Korean law enforcement suspects Kim of selling this illicit information to mortgage fraud swindlers and low-level gambling advertisers. Although he only sold them for as much as 30 cents per data item, police estimate the secondary damages amount to about $2 million. The mortgage fraudsters managed to use Kim’s information to deceive hundreds of Koreans for over a year from 2012 – 2013.

Although Kim and his hacking partner in China seem to be getting most of the credit for this massive data breach, the roles of the other fifteen arrested are not yet known. In fact, it appears a good deal about this story is still not yet known. Authorities are endeavoring to pin down how these enormous amounts of illegal information were circulated and are still hunting at least seven other suspects (including Kim’s partner).

This is hardly the first time Koreans have suffered due to online security breaches. In 2011, hackers managed to infiltrate South Korea’s most popular social networking sites. Those hackers stole data from 35 million Koreans involved with Nate and the Sims-like Cyworld.

If three-quarters of the population today seems like a staggering amount of plugged-in citizens, consider that Nate and Cyworld commanded the attention of 35 million people in a country with 49 million residents. It’s a similar percentage, and a similar story: then, like now, hackers from China played a prominent role, and it was the unsuspecting Koreans who had to front the damage.

I have written in the past that it is the Korean citizens who must handle the burden of insufficiently secure services. Social networks and games aren’t the only targets. This past January, an IT contractor for the Korea Credit Bureau was arrested for copying and selling the personal credit card information of almost 20 million Koreans. The chief executives publicly apologized and promptly resigned, although that was probably a small relief to the half of the Korean population whose financial data had been exposed.

Nobody has heard anything as of yet from any of Korea’s online gaming services. Although not much is known about the details of the breach itself, a simple password extractor should not be enough to hack into a large-scale gaming platform.

While security professionals love to write about password security and how individuals can protect themselves, the onus is on the company to provide a safe and secure online environment for their gamers.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment