Korean Court Orders SK Communications to Pay Damages to ID Theft Victims

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.databreaches.net/?p=26863

The 2011 hack affecting SK Communications, operator of Nate and
Cyworld, currently stands as 10th on DataLossDB’s list of largest
all-time breaches, affecting 35 million people. The breach not only
resulted in lawsuits, but contributed to the government reversing its
plans to implement a real-name registration policy.

In the latest development,  a Seoul court has ruled that SK
Communications should pay KRW 200,000 ($185.48) in damages to each ID
theft victim in a class action lawsuit against SK Communications filed
by 2,737 ID theft victims. Korea IT Times has more on the ruling.
Although they report that this was the first victory for victims of
this breach, there actually was a previous case with an award to a
plaintiff, and the amount per person from this case is significantly
less than what was previously awarded to a sole plaintiff who sued
after the breach.  It is not known to me what happened to that award
on appeal from SK Communications.

Korea IT Times reports that the court said, “SK Communications
completely failed to notice the phased theft of personally
identifiable information provided by 35 million Nate and Cyworld
users. Besides, SK Communications’ use of a general-purpose,
easy-to-hack version of ALzip (from ESTsoft) made Cyworld more
susceptible to hacking attempts. On top of that, the operator’s
employee left the computer on without logging out, therefore leaving
Cyworld’s security porous until the early hours of the morning.”

Complaints against ESTsoft and Norton were dismissed.  Regulators had
previously determined that the malware used in the attack had not been
detected by Norton, and had slammed SK Communications for use of the
foreign antivirus software.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.