Homeplus under probe over personal data leak
Homeplus, one of the country’s top discount store chains, is facing investigation by the telecommunications regulator over the hijacking of 49,000 customer accounts, according to a lawmaker, Thursday.
Rep. Byun Jae-il of the ruling Democratic Party of Korea (DPK) said the Korea Communications Commission (KCC) and the Korea Internet & Security Agency (KISA) have been investigating the discount store chain after acknowledging that an unidentified intruder logged into Homeplus’ online shopping mall using customers’ ID and passwords.
“For about a year from Oct. 17, 2017 to Oct. 1, 2018, the unidentified person logged into the online shopping mall of Homeplus to steal customers’ rewards points. The total number of compromised accounts is 49,000,” the lawmaker said.
Homeplus belatedly noticed the incursions on Sept. 20, almost two years after the first case occurred, after a customer filed a complaint with the company for not getting the rewards points.
The KCC said it conducted an on-site investigation of Homeplus on Wednesday together with the KISA. The regulator said it will impose sanctions on Homeplus once it is confirmed that the company violated the law.
The lawmaker accused the discount store chain of acting irresponsibly as the company didn’t notify its customers even though it is legally mandatory for a company to report cyberattacks to the relevant users.
According to Article 27-3 of the information communications network act, when a provider of information and communications services becomes aware of the loss, theft or leak of personal information, the provider is supposed to inform the relevant users immediately and report the situation to the KCC or the KISA.
“Though Homeplus reported the case to the telecommunications regulators right after the case was revealed, the company didn’t notify its customers. Its action amounts to a breach of the information communications network act,” Byun said, adding that Homeplus can be charged up to 30 million won ($25,021) of fine.
However, Homeplus refuted the lawmaker’s claim, saying it notified the telecommunications regulators and customers on the same day the suspicious activity was detected.
“As soon as we detected the incident on Sept. 20, Homeplus reported the case to the telecommunications regulators. At the same time we also notified our customers via email and cellphone text message,” a Homeplus official said.
This is not the first time Homeplus has been embroiled in an information leak case as its former and current employees were found guilty of selling customers’ personal data to LINA Life Insurance and Shinhan Life Insurance between 2011 and 2014.