Old Fashioned Blackmail - Modern Data!

As Seoul Mayor Lee Myoung Bak hosted annual summits for global business leaders. I developed the Crisis plans for three of the events so was present throughout each stage of the occasions. One year’s theme was on how to make Seoul a better place to invest; a topical subject right now as Korea enters recession and is luring financial institutions from Hong Kong.

I recall a British speaker raising concerns that his organization had been threatened by a Korean union rep that unless they did XY and Z then their databases would be wiped clean. Such an insider threat would give any executive sleepless nights. I know not the outcome of that dispute, but he clearly understood his company data was vulnerable.

FILE PHOTO (unrelated to story) - Korean Trade Unions are very well organised.

The recent Twitter hack caused its stock price to plunge 7%, which falls in line with research by Comparitech that found companies with data breaches fall by an average of 7.27%, regardless of size. Last year US bank holding company Capital One lost 5.9% of its stock value after its own data breach.

Whilst phishing scams and hacking do exist, I am yet to be convinced that these are the main causes of data breaches. What is more, the idea of ninja clad spies accessing companies in the night to steal data is more the stuff of Hollywood movies.

When protecting data companies seldom consider is the insider human threat. Some years back I met a senior HR executive from one of Korea’s major manufacturers to persuade him to conduct background screening on the engineers they were bringing in from China for “training.” His response was that “they were very nice people” and thus such screening was not required. At that time the Chinese were behind the Koreans in electronics’ manufacturing. We cannot say that today!

People's lives and circumstances change during the period of employment...

Pre-employment screening still hasn’t caught on in Korea, bar minimal checks on social media sites. However, after those initial “pre-employment checks” no further checks are ever made into the employees over the years of their employment. People’s lives and circumstances constantly change, and a company probably wouldn’t know if one of their drivers was arrested on a Saturday night for drink driving unless they chose to disclose it.

I have recently warned contacts of mine of an old-fashioned threat which is now more likely to become active. In its fight against a second wave of COVID-19 the Korean government accessed credit card data of customers who attended a number of gay nightclubs in Seoul’s Itaewon area. They did this because customers they needed to contact had given false names when entering the said venues in order to protect their identities. I believe the government acted sincerely in collating this data.

However, this sensitive project would not be secret for long. It was quickly reported that the government had collated details of some 1,500 people from gay bars. The data on these individuals would likely include names, addresses, national identity numbers and places of work.

People walk along a street in Seoul. South Korea has won widespread praise for its ‘track and trace’ model of containing the pandemic. Photograph: Chung Sung-Jun/Getty Images

The “possibility” of this highly sensitive list being leaked and or sold to purveyors in the illicit data trade is more of a “probability” and thus only a matter of time before people on that list are contacted with menacing demands. Indeed, the fact that the mere existence of the list was so quickly disclosed to the press reinforces the assertion that it will be leaked further.

The fact that there are only 1,500 names might convince some business leaders that the likelihood of one of them being a member of their staff are incredibly low and thus not worthy of consideration. Yet those 1,500 people all know other people who know others, and are simply the start of a potential chain reaction. A blackmail victim will likely sell out someone else in the false belief that they themselves will be protected.

For some considerable time, menacing threats have been made against young women from the production of sex videos. Yet many younger women are entry level employees and may not have access to sensitive data. What is more, the public are largely sympathetic to such victims, thus the threats have a lesser value. However homosexuality is not yet socially acceptable in Korea, despite sincere efforts such as the holding of the Seoul Queer Culture Festival, to make it so. Indeed, explanations given by those who had given false names at the affected venues included fear of losing their jobs. Others will be married with their own families, choosing to live double lives rather than disclose their sexuality.

This is not a social issue we can resolve overnight, but companies with data to protect must be aware of the threats of blackmail against their staff who may have secret aspects to their lives. Suddenly writing policies of inclusiveness is not going to resolve the immediate threats. However, staff training in how to manage such threats will go some way towards mitigating these genuine concerns.