Modernizing Authentication — What It Takes to Transform Secure Access
The personal information of about 30,000 customers of the South Korean cryptocurrency exchange Bithumb was recently exposed when a Bithumb employee's home computer was hacked, according to Yonhap News.
While Bithumb says no passwords were stolen, Yonhap reports that some customers lost funds as a result of the attack.
Brave New Coin reports that the exposed data included customer names, mobile phone numbers and email addresses.
Bithumb is one of the largest bitcoin exchanges in the world. While it's not yet clear how much money may have been stolen, Brave New Coin reports that the amount is "quickly reaching into the billions of Won."
Customers say they've been targeted by voice phishing attacks, in which attackers call victims by phone posing as Bithumb executives, and try to leverage the data they already have to gain access to victims' accounts.
In a statement published last, Bithumb promised to pay 100,000 Won (approximately $86.50) to all members whose personal information was exposed -- and to reimburse all losses for anyone who suffered additional damages.
High-Tech Bridge CEO Ilia Kolochenko told eSecurity Planet by email that Bithumb's response seems both professional and ethical, and could serve as a good example for other companies. "However, it would be too early to calculate overall damages right now, as attackers could probably breach other machines and get additional information," he said.
And Imperva security group manager Ben Herzberg said it's particularly notable that the stolen data was already outside of the company's control, on an employee's personal computer.
"This also brings [up] the question of data security in companies and the ability of employees to take sensitive information with them when they're at home," Herzberg said. "Part of this is due to the rapidly changing work environment where employees get more remote access to company resources, which poses a challenge to IT security departments."
The Risks of BYOD
The breach should serve as a reminder that Bring Your Own Device (BYOD) policies aren't just needed for smartphones and tablets -- only 36 percent of employees received corporate-issued laptops last year, a Gartner survey of 9,592 respondents in the U.S., U.K. and Australia found, while just 23 percent of employees surveyed said they're provided with corporate-issued smartphones.
"Usage of personally owned devices in the workplace is nothing new, but the survey results confirm that this trend has become a new workplace standard," Gartner principal research analyst Mikako Kitagawa said in a statement. "Two thirds of survey respondents said that they use a personally owned device or devices for work."
A separate Strategy Analytics survey of 1,200 IT decision makers found that one third of companies don't manage corporate information on personal liable devices at all.
Strategy Analytics executive director of enterprise research Andrew Brown said in a statement that "cost savings from BYOD are not comparable to the financial damage and reputational that can be incurred as a result of lost or stolen data and the security implications that a data breach entails."
Bithumb has learned that lesson in spades.