The 2011 hack affecting SK Communications, operator of Nate and Cyworld, currently stands as 10th on DataLossDB’s list of largest all-time breaches, affecting 35 million people. The breach not only resulted in lawsuits, but contributed to the government reversing its plans to implement a real-name registration policy.
In the latest development, a Seoul court has ruled that SK Communications should pay KRW 200,000 ($185.48) in damages to each ID theft victim in a class action lawsuit against SK Communications filed by 2,737 ID theft victims. Korea IT Times has more on the ruling. Although they report that this was the first victory for victims of this breach, there actually was a previous case with an award to a plaintiff, and the amount per person from this case is significantly less than what was previously awarded to a sole plaintiff who sued after the breach. It is not known to me what happened to that award on appeal from SK Communications.
Korea IT Times reports that the court said, “SK Communications completely failed to notice the phased theft of personally identifiable information provided by 35 million Nate and Cyworld users. Besides, SK Communications’ use of a general-purpose, easy-to-hack version of ALzip (from ESTsoft) made Cyworld more susceptible to hacking attempts. On top of that, the operator’s employee left the computer on without logging out, therefore leaving Cyworld’s security porous until the early hours of the morning.”
Complaints against ESTsoft and Norton were dismissed. Regulators had previously determined that the malware used in the attack had not been detected by Norton, and had slammed SK Communications for use of the foreign antivirus software.