Breaches have consequences: Watchdog penalizes Hyundai Capital after data leak

A follow-up to the Hyundai Capital breach first disclosed in April. At the time, Hyundai reported that approximately 420,000 of its 1.8 million customers had their names, resident registration numbers, mobile phone numbers and email addresses compromised by hackers. Now Yonhap News reports:

South Korea’s financial watchdog on Thursday decided to issue an institutional warning to Hyundai Capital Services Inc. and reprimand its chief, holding them responsible for a major hacking attack at the biggest local consumer finance firm earlier this year.

The personal information of some 1.8 million Hyundai Capital customers was compromised in an April hacking attack, in which the hacker implanted a malicious code in the company’s website to break into its data storage system.

Holding a disciplinary meeting, the Financial Supervisory Service handed down the penalty to the consumer finance firm while issuing a cautionary warning to Hyundai Capital President Chung Tae-young, a penalty which is lighter than the market generally expected.

The decision bans the company from buying a stake in other companies for three years and makes it hard for the firm to enter into uncharted business sectors for six months. The punishment for Chung does not have any tangible effects, but could tarnish his image at the helm.

Market analysts said the security breach at Hyundai Capital is feared to hinder the firm’s plan to make inroads into the European and other overseas markets for consumer finance jointly with its affiliate carmaker Hyundai Motor Co.

Wow. It’s one thing when our FTC imposes conditions such as audits for 20 years, but to prohibit a company from buying a stake in other companies strikes me as pretty severe. Can any reader recall any comparable situation in the U.S.?

About the author: Dissent

7 comments to “Breaches have consequences: Watchdog penalizes Hyundai Capital after data leak”

You can leave a reply or Trackback this post.
  1. JJ - September 8, 2011

    Until the executives get personally hit in the wallet or threatened with jail time as happened with Sarbanes-Oxley, they will not pay any attention. They have no incentive to. A three year suspension from buying someone? Big deal. They’ll just do it some other way if they want to or they’ll raise the interest rates on their loans to hoard capital for a buy in 2014. This was another slap on the wrist.

    • admin - September 8, 2011

      You may be right, but I can’t see fining executives personally or jailing them for most breaches. We’re living in times where the public is beginning to buy into the notion that breaches are inevitable and that corporations are victims. I don’t agree with that, but in this climate, I think hurting the company in the wallet by limiting their growth may be more financially penalizing that a flat-out fine. But then, I may well be wrong.

  2. garykva - September 9, 2011

    Many of us in the US forget that some of the international laws are a bit stricter than US laws. For exmaple, The Internet Architecture Board and the Computer Ethics Institute seem to frown on the art of hacking, and they seem to lack the finger pointing towards the company at fault. I my humble opinion, I believe if you are in a position of power or “responsibility” and you are not practicing due diligence or due care, you ARE at fault. Its simple as that. Many of the overseas locations, and in the US for that matter cannot “accept” the fact that hacking is inevitable. That shows lack of concern for the customer, and when does that poison trickle down to the products that your purchasing?

    The CEI and IAB should consider handing out letters of reprimand to any serious breaches to the CEO, CIO, CFO and others should it be something that a 3rd party investigation team deems bad practice. Sure different countries treat hacking crimes different ways but there has to be a standard set in order for the important people to take a look at themselves in the mirror each day and tighten up on the professionalism and responsibilities they have been assigned to perform.

  3. Sang @ AlertBoot - September 9, 2011

    One thing not covered in the above English article is that the head of the IT department had his wages reduced for three months (I can’t tell by how much, though).

    Also, it shouldn’t come as a surprise that the CEO was barely affected. In Korea, it’s something of a “tradition” to either forgive or give out a light sentence to the heads of chaebol companies. The usual explanation goes along the lines of “he’s too important for the economy” or whatever but I guess they’ll use a more logical explanation if one’s available (he’s not directly responsible).

    Once you’re aware of this, you’ll realize that JJ is wrong: not even jail time will incentivize the heads of companies, not in Korea anyhow. (If you thought JJ is a cynic… :P)

    I buy into the reasoning that the head of the company can’t be directly responsible for a data breach: if you’ve been a marketing professional or accountant or lawyer before taking the job, how can you be held chiefly accountable for a computer data breach? However, it should be taken into account whether the CEO had taken steps or instructed to secure said data.

    Korea has been rocked by massive data breaches in the past, so the CEO should have been aware of such risks. Plus, Hyundai Capital claims they’re a global player, and must have been aware of global risks as well (hackers don’ recognize borders). As such, the CEO should have looked into whether there was adequate data security. As far as I can tell, there wasn’t (hence the unusually severe penalty for the company, at least on paper. Lawyers will probably find a way to get around it).

    We can only theorize whether this was due to the CEO not taking initiative or whether the IT department’s head was misreporting the state of their on-line defenses. If the latter, the CEO shouldn’t be personally reprimanded. If the former, he should.

    • admin - September 9, 2011

      As always, thank you for providing a cultural perspective to the debate. I saw wage reductions also imposed in Japanese breaches in the past, but those were the executives who got docked, if I recall, and not the head of IT.

      Given your expertise and familiarity with things there, do you think the penalty was severe or light?

      • Sang @ AlertBoot - September 9, 2011

        I’d say it’s average all around, except for the restrictions on corporate activity.

        I’ve heard of wages getting docked anywhere from 1 to 3 months, so I guess technically it’s more severe than average. However, without concrete numbers, it’s kind of hard to make a comparison.

        One thing that’s for sure is that Hyundai Capital must have gotten substantial negative PR fallout. For example, I haven’t come across ads for their services on TV or radio since the situation. I doubt that they’ve completely halted their efforts; however, it’s in stark contrast when compared to other financial services advertising efforts.

        The only explanation I can come up with is that they’re seeing severe backlash so have decided to play it low for a while. Either that or they’re seeing so much money rolling in that they’ve decided not to advertise…which is unlikely.

        • Sang @ AlertBoot - September 9, 2011

          And by “concrete numbers” I mean how much they’re docked for: 2% over 3 months is hardly severe if someone else’s wages are docked 50% for one month.

Comments are closed.