A person, known as only “A”, accessed the Homeplus online mall using the IDs and passwords of others and stole OK Cashbag points for about 1 year, from October 2017 to October 2018. This was revealed when the customer “B” filed a complaint about not earning the mileage points she expected on the 9^th day of this month, and the investigator found that a membership card owned by the wrong person was registered in the account of “B”.

This scam artist took advantage of the loopholes in this system. Namely, you can: 1) have multiple membership cards that are awarded OK Cashbag points; 2) join with a new membership for each of the affiliated brands; and 3) accumulate points with a card owned by a third party. In this case, the thief made 11 membership cards in his own name and registered those cards in about 49,000 Homeplus accounts.

The loyalty points that “A” stole were worth KRW 4 million. Although the amount of monetary damage is relatively small, considering the long period of time and the number of victims involved, enormous intangible injuries have arisen owing to identity theft and unauthorized usage. The theft and misuse of points are not problems for Homeplus alone; in fact, any of its affiliated brands or member stores could be the targets of this type of fraud.

KNOCC is calling on Homeplus to account for its gross negligence in causing damages to its customers’ properties, as suspicious login attempts were detected on several accounts and only 11 cards were registered in 49,000 accounts. It does not make sense that SK Planet, a provider of the OK Cashbag service, was not alerted when about 11 membership cards belonging to the same person were registered in 49,000 accounts, which means that 4,455 different IDs from the same affiliate brand were enrolled in a single card. Furthermore, SK Planet employed no identity verification system for the card registrations and they cited customer convenience as an excuse for avoiding their responsibility.

We demand that SK Planet take responsibility and reconstruct the OK Cashbag system to prevent the abuse of consumers’ personal data. We also demand that the 84 affiliated brands of OK Cashbag confirm there has been no data breach, comply with the consent requirements, and update their own security systems with verification procedures in cases where the same card is registered in different accounts.

The Korea Communications Commission (KCC) and KISA “are currently investigating and will announce the facts after they have been confirmed”; however, they should not only investigate data breaches, but should promptly and actively respond to this incident in order to prevent further damage to consumers’ properties, to promote a discussion about compensation, and to find adequate countermeasures. Meanwhile, it has been assumed that the scam artist easily stole the rewards because the same password was commonly used for the same ID. Thus, the consumers need to regularly change their passwords and to thoroughly check their account, whether an unknown card is registered or not.