Three individuals suspected of hacking into 225 websites and stealing the personal details of 17 million people have been arrested by South Korea’s Incheon Metropolitan Police Agency.
The suspects, named Kim, Lee and Choi, are said to have sold the stolen information to various loan companies and chauffeur services in exchange for 100 million won ($93,000 / €68,657), the Korea Joongang Daily reports.
Representatives of the police revealed that the websites targeted by the hackers were not properly secured, allowing them to breach their databases and steal information.
In some cases, the attackers posted maliciously crafted code on online forums. When administrators clicked on the links, they unknowingly gave the hackers access to their systems.
Kim and Choi are both 21. Lee is 18. They met in 2011 while playing an online video game.
Kim was arrested in November 2012 for distributing malware in online communities. Choi was also charged for spreading malicious content online.
Lee, on the other hand, dreamt of becoming a white hat hacker. He learned many things about this trade from the other two suspects. At one point, he got so involved in it that he dropped out of school.
In September 2013, he moved in with Kim and Choi in Iksan, North Jeolla. That’s when they started hacking into the website of various organizations, including real estate and trading services, the Korean Dental Association, the Association of Korean Medicine, and the Korean Medical Association.
They’re also said to have targeted online gambling websites. From one site, they managed to make a lot of money, both by stealing it directly or by blackmailing its operators.
First, they stole 180 million won ($168,000 / €123,000) by manipulating data, after which they asked owners to pay another 80 million won ($74,800 / €54,000), threatening to delete the site.
Initially, Lee only handled the sale of the stolen information. However, he later figured out how to hack the sites so he stole data from 14 websites.
In addition to Lee, Choi and Kim, six others are being investigated on suspicion of being involved in the conspiracy.
The owners of the hacked website could also be held responsible for failing to protect their customers’ personal information.
Major data leaks are becoming more and more frequent in Korea. Earlier this month, authorities suspended the activitiesof three major payment card issuers after they failed to realize that an engineer had stolen and sold the details of tens of millions of their customers to marketing firms.