A person, known as only “A”, accessed the Homeplus
online mall using the IDs and passwords of others and stole OK Cashbag points for
about 1 year, from October 2017 to October 2018. This was revealed when the
customer “B” filed a complaint about not earning the mileage points she expected
on the 9th day of this month, and the investigator found that a
membership card owned by the wrong person was registered in the account of “B”.
This scam artist took advantage of the loopholes
in this system. Namely, you can: 1) have multiple membership cards that are
awarded OK Cashbag points; 2) join with a new membership for each of the affiliated
brands; and 3) accumulate points with a card owned by a third party. In this
case, the thief made 11 membership cards in his own name and registered those
cards in about 49,000 Homeplus accounts.
The loyalty points that “A” stole were worth KRW 4 million. Although the amount of monetary
damage is relatively small, considering the long period of time and the number
of victims involved, enormous intangible injuries have arisen owing to identity
theft and unauthorized usage. The theft and misuse of points are not problems
for Homeplus alone; in fact, any of its affiliated brands or member stores could
be the targets of this type of fraud.
KNOCC is calling on Homeplus to account for its gross negligence in causing
damages to its customers’ properties, as suspicious login attempts were
detected on several accounts and only 11 cards were registered in 49,000
accounts. It does not make sense that SK Planet, a provider of the OK Cashbag
service, was not alerted when about 11 membership cards belonging to the same
person were registered in 49,000 accounts, which means that 4,455 different IDs
from the same affiliate brand were enrolled in a single card. Furthermore, SK
Planet employed no identity verification system for the card registrations and
they cited customer convenience as an excuse for avoiding their responsibility.
We demand that SK Planet take responsibility and
reconstruct the OK Cashbag system to prevent the abuse of consumers’ personal
data. We also demand that the 84 affiliated brands of OK Cashbag confirm there has
been no data breach, comply with the consent requirements, and update their own
security systems with verification procedures in cases where the same card is registered
in different accounts.
The Korea Communications Commission (KCC) and KISA “are currently
investigating and will announce the facts after they have been confirmed”;
however, they should not only investigate data breaches, but should promptly and
actively respond to this incident in order to prevent further damage to
consumers’ properties, to promote a discussion about compensation, and to find
adequate countermeasures. Meanwhile, it has been assumed that the scam artist
easily stole the rewards because the same password was commonly used for the
same ID. Thus, the consumers need to regularly change their passwords and to thoroughly
check their account, whether an unknown card is registered or not.