Korean credit card bosses offer to RESIGN over huge data breach

How can it NOT be a risk?

That is an incredible leap in logic, that just because the CVC and password do not appear to have been obtained, there is no likely fraud to take place.

It is no secret that unlike the USA and other countries, where voluntary tax reporting is considered "compliant", and in SK, "non-compliant", some number of SK's (IIUC, those older than 35 or so) have two to five alter egos/alternate IDs, just for evading taxes, among other things.

Anyone with this info now can target those victims and use enough existing facts to create alternate IDs and possibly obtain credit or loans in those people's names if collateral is not required. With so many people having the same surname, it only will take a crafty con a few days with an analytics program to match up stolen IDs to prospective buyers to minimize the risk of fraud alert detection going off.

This is just one more incident that will likely lead to biometrics at point of sale becoming the norm.

But, if these kind of snafus will probably make more people resort to carrying around wads of extra cash for a few months. It can be pretty scary for those who use love motels for purposes outside of their relationships if the data buyers/users can figure out how to access transaction histories. Blackmail could really put people into a tailspin, too.

It is just totally improper to state that the lack of the CVC and password diminishes the risk of harm to the victims. Downplaying these events is likely to lead to complacency.

The difference between their culture and others...

The most senior management take responsibility. Here in the States, they would want a large bonus.

A little bit about culture

http://english.chosun.com/site/data/html_dir/2014/01/22/2014012200837.html

http://www.inc.com/magazine/201112/the-returnees.html

Over there, if you are from a wealthy family (at least as of 2011), and you run a start-up, you're regarded with suspicion. Read about Daniel Shin, from the USA, who started Ticket Monster in Korea in a room in his grandmother's home, and is (in 2011) doing better than most Koreans born and raised in Korea, who struggle their butts off to stay at the top of the boiling kettle.

People with lots of money probably wonder what'll happen to them if these banks keep suffering data breaches. SK's been hit multiple times in the past few years.

best industry practise?

I'm perhaps seeing a confusion in the security industry with many areas requiring partners/contributors to follow "Best Industry Practise", fine, that'll get you hopefully above-average levels of safety/security, if all your partners/contributors are doing what they say they are doing.

Unfortunately, due the buggy nature of human written software, the engineered & accidental backdoors, and just human frailty in comprehending the 'real' level of security paranoia that a situation requires - I think that best practise does not actually work in security. Not when there's a high value target, or easy money from a few hours script-kidding or subverting a "Trust Anchor" in implausible (to the industry) but easily practical ways (to the attacker)

For example, allegedly maybe 60% of Banking Apps send cleartext - perhaps after some sort of vague trust element/certificate handshake, perhaps.

For another example: Some standards bodies' that work on Trust in Internet Commerce & certificate authorities - think that "pin" means '4 digit bank-card personal number' - whereas I'd like them to consider it to mean 'the service has just presented me with a security object from the *expected* supplier' - not from some random man in the middle state or enterprise.

poor passwords - databreaches - shouldn't happen, but in a world where according to the BBC a distributed military system is guessing offline 4 billion password hashes a second, then passwords themselves have had their day and we need a new working trust element, with pinning, not just "Best Practise" established by a probably subverted standardisation system.