Just the other day, when I was looking over a post on the 5 largest cyberbreaches of 2014 (to date),[1] my mind went back to the Case of Bob,[2] a malfeasing cyber breach insider, on whom I blogged in an earlier post.  The top 5 list sequenced a total of 309 million records.[3]  That is, I believe, enough to cover stealing one record each, from every Citizen of Canada (34 million), Italy (61 million), France (63 million), the United Kingdom (64 million), and Germany (82 million); at a total of 304 million records, according to their respective population counts in 2013.[4]  Looking only domestically, in the United States, this 309 million could account for the loss of a single record (e.g. social security number) for all but 6 million U.S. Citizens in a 315 million population count at 2013.[5]  That’s a whole lot of broken (out/into) records![6]

Clearly, this is a big and growing problem.  And so, I decided to look a little more closely at that list, focus-in on the non-American example of South Korea,[7] and lay-down a better understanding of why the cyber realm remains so hard to secure – not just from last year’s big breaches at Target,[8] Adobe,[9] and LivingSocial,[10] but persistently and consistently for even those most tech-savvy of U.S. businesses and veterans of the eCommerce and eBanking verticals, including Google/Gmail,[11] Home Depot,[12] JPMorgan Chase & Co,[13] and eBay;[14] along with assorted state and federal government entities.[15]

I will look at the problem from four angles: “B” for Bob, “E” for eCommerce, “S” for Structure, and “T” for Trust; addressing the challenges and opportunities in which, obviously requires certain “b-e-s-t” practices.  This is a simplification of an extremely complex issue, but a useful approach, nevertheless.



Bob[16] was not the first, nor will he be the last insider to “go rogue”.  The debate continues on whether insiders or outsiders are the greater threat.

“The fact that the individual was reportedly able to access and then sell on vast quantities of customer information is very worrying. It should not be the case that an employee – and in this case a temporary consultant – is able to access and then download sensitive data without this suspicious activity being flagged up,” (…)[17]

“It would seem that this case is a classic example of the ‘insider threat’ – that is, the malicious abuse of privileged access. A breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties if they are found to have been negligent in the protection of this information.”[18]

However, it is the safest and the highest of best practices, to do one’s utmost best to protect against both, and each through the other, in a figure of eight lattice-work.

Suggested solutions include: proper and more comprehensive onboarding and offboarding; segregation of duties; rigorous credentialing and authorization procedures; real-time access and event logging; training and discipline with enforced usage rules (BYOD, social media, portable media, telecommuting); behavioural guidance including full disclosure of privacy limitations and waivers as applicable (travel and mobile security, regulatory compliance, data governance, eDiscovery, and cybersecurity); and so forth – including ONGOING due diligence on ALL employees, vendors, contractors, and counterparties on these parameters.[19] Just as banks were looking to their law firms to harden cyber defences,[20] regulators and especially financial sector regulators, have also been increasingly focused on the issue of cybersecurity.

The question we need to all ask as regulators is should we be considering the cyber threat as something as fundamental to institutions as capital levels. I’m not saying yet that they’re equal but we should probably start discussing them in the same breath[.][21] The legal community has long weighed-in on this issue for and regarding others, but has only recently and so publicly, been forced to look at its own house, with some resulting and readily available, practical guidance on the starting point for a law firm cyber audit that is easily applicable to other industries.[22]



eCommerce is a 5-edged sword (hard to see in reality – especially as anything easy to wield or even effective, but logically easy to conceptualize). There are the two (alleged) counterparties; there are each of the (apparent) originating and destination locations; and then there are the (acceptable, accredited, and accepted) payment parameters. These are the five.

Counterparties are “alleged” because one or more may be fictitious or on a borrowed or pilfered identity.  Originating and destination locations may be fronts, dead drops, or non-existent.  And the acceptable payment methods may have one party presenting something with false accreditation that is accepted as valid until it is too late to halt the deal;[23] something with proper accreditation that is intercepted before being properly accepted by the intended recipient;[24] or something with proper accreditation that is accepted by a fictitious or otherwise fraudulent counterparty.[25]

Albeit fraught with dangers, eCommerce has become indispensable in an interconnected, and beyond line of sight business world.  The best we can do is manage it, harden it in advance, and adapt as and when a new vulnerability is shown in this constant battle for sword edges between victims, and rogues.



Now, we look back to South Korea, and ask whether there is any structural strength or weakness that makes the nation a recurring[26] and worthy[27] target for cybercrime; and the answer is a very loud yes.

With a wealthy and tech savvy population that has a GDP/PPP over US $33,000, South Korea in 2013, was Asia’s 4th largest economy, 12th largest in the world, and 10th largest, globally, in terms of trade in merchandise and services, alone.[28] In that same year, the economy grew by 2.8%, and had a projected 2014 growth forecast of 3.5-4%.[29]

Essentially, South Koreans are connected, mobile-friendly, and absolutely just love eCommerce.  Nearly 80% of the population is online, which makes it the most connected country in the world.[30]  Mobile penetration has also long been high,[31] with 75% of South Koreans using smartphones overall, and a 98% penetration rate for the 18-24 demographic.[32] On the subject of eCommerce, the consultant Borderfree, “found that an increasing number of South Koreans shop overseas retailers to find lower prices, leverage parcel forwarding to save on shipping costs and join online communities to resell imported items they don’t want.”[33]  Since at least 2008, it has been quite commonplace for South Koreans to send and receive gift certificates and discount coupons by mobile or smart phone, which can be redeemed just by showing the phone and having it scanned, making coupon clipping (and paper coupons), things of the past.[34]

“From smartphones with flexible, foldable screens to smart refrigerators where you can view the inside contents while shopping; or smart communities, where even your child’s wanderings can be tracked through a central operations centre, Korean companies are on the cutting edge of technology.  Each is vying to be the first to develop the Next Big Thing.”[35]

Hence it follows that if everything cyber-new is there, as in methods and applications in a target-rich environment, then every old and new form of cyber offence will also follow into this nation that is essentially structured and functions, as a massive testbed!

This factor is further underscored by the fact that: “South Koreans have on average five credit cards, compared to two in the U.S., and the country has the highest credit card penetration globally.  Consumers in South Korea also use credit more often.  There are 129.7 credit card transactions per year in South Korea, compared to 77.9 credit card transactions annually in the U.S.[36]  Newer technologies introduced will invariably have often unforeseen vulnerabilities that have yet to be patched, and credit card ownership and use have, to date, hardly proved to be entirely risk-free.

It is therefore no surprise that cyber-criminals will congregate at that confluence of high credit card use, high technology, extreme connectivity and mobility, and intense eCommerce that is South Korea.



I have written, elsewhere, that data has very many “faces” – ranging through Form Factors, Applications, Categories, End-users, and Scale; and therefore presenting many attack surfaces vulnerable to myriad and multiplying attack vectors.[37]  Yes, we can (and must) generally trust the data of and provided by counterparties in an eCommerce-driven world, but why not also verify? Too few are taking the time to fully go through the steps, due to cost and time concerns.  When you receive an email, does the return email match the claimed sender, is the content their usual, are the links or required/suggested actions suspicious in any way?  When it is a business, does the contact information match what they list in a directory (remembering that the spoof site found through an internet search is still a spoof site)?  If this is a claimed professional, are they registered somewhere in a searchable official or regulatory database with the same contact data?  Finally, if it is a financial institution account communication, then do you do business with them?  If the answer is no, or your financial services provider does not send you such open login requests, then you should delete the message! These are very basic steps.

Forensic investigations, eDiscovery, disaster preparedness and recovery, and assessing the effect and impact of remediation measures are now greatly aided by better information governance;[38] as well as backups balanced with commonsense and due diligence in knowing what you are getting into with specific situations as a cloud vendor, a cloud user, or a basic data custodian.[39]



Banks had all the money, but data custodians have all the data. Criminals therefore go after the motherlodes of data (financial services entities, telecommunications providers, medical legal and accounting professionals, governments, and other data-loaded intermediaries including high volume vendors – supermarkets, department stores, and hardware stores) where no shotguns or facemasks are needed, because they are unseen and can blend into that stream of blissfully unmonitored eCommerce.

Whether stupendously big, or comparatively small,[40] and even if we don’t hear about them publicly or immediately,[41] there will likely still be hacks for quite some time to come. However, all is far from lost, despite the mind-numbing possibility of staggering single and cumulative future data breaches in new markets,[42] and due to developing mobile and virtual payment and settlement solutions – regardless of the breach’s apparent or alleged nation of origin.

“However, I also think that all threats can be adequately considered when you focus on: (a) achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tolls to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) the accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.”[43]

In the end, it all starts with leadership, because where there is no buy-in for doing what needs to be done from the higher-ups due to cost concerns, short sightedness, or bad advice, there will be little to no I.T. security budget, best practices will be whatever the heck everyone feels like doing at the time, and a breach will surely come.[44]

At the very least, then, in response to Bob & Co. and what they can do, you should sincerely cube that B!




Ekundayo George is a lawyer and a sociologist. He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory compliance practice. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing). See, for example: A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.


Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant- sourcing, managing, and delivering on large, strategic projects with multiple stakeholders and multidisciplinary teams. Our competencies include program investigation, sub-contracted procurement of personnel and materiel, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through a highly-credentialed resource pool with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – sometimes also termed Information Communications Technologies, or ICT). See, for example:


Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.


This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.



[1] Chris DiMarco. The top 5 largest cyberbreaches of 2014 (for now). Published October 9, 2014 on Online: ><

The writer gave these top 5, in ascending order, as: Gmail/Google (5 million), Korea Credit Bureau (20 million), Home Depot (56 million), JPMorgan & Chase Co. (83 million), and eBay (145 million). See also infra, notes 11-14, and 7.

[2] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013 on Online: ><

[3] Supra, note 1.

[4] See generally, Wikipedia.

[5] Id.

[6] This is especially true as a sixth big breach has been added since the list was first made, which now fully covers those 6 million “formerly” lucky U.S. Citizens. See e.g. Steve Kovach. Nearly 7 Million Dropbox Passwords Have Been Hacked. Published October 13, 2014, on Online: ><

[7] Initially pegged at 20 million (which number I have retained), the Korea Credit Bureau breach was later re-calculated to have impacted 27 million South Koreans. See Steve Ragan. 27 million South Koreans affected by data breach. Published August 25, 2014, on Online: ><

[8] CBC News. Target data hack affected 70 million people. Published January 10, 2014, on Online: ><

[9] Chris Welch. Over 150 million breached records from Adobe hack have surfaced online. Published November 7, 2013, on Online: ><

[10] Rachel King for Zero Day. LivingSocial confirms hacking; More than 50 million accounts affected. Published April 26, 2013, on Online: ><

[11] See generally Google Corporate. Cleaning up after password dumps. Published September 10, 2014, on Online: ><

[12] Ben Elgin, Michael Riley, and Dune Lawrence. Home Depot Hacked After Months of Security Warnings. Published September 18, 2014, on Online: ><

[13] Jim Finkle and Karen Freifeld. States probe JPMorgan Chase as hack seen fueling fraud. Published Friday, October 3, 2014, on Online: ><

[14] Jennifer Abel. eBay hacked again? BBC reports hijacked seller accounts. Published September 23, 2014, on Online: ><

[15] Administrative Office of the Washington Courts. Washington Courts Data Breach Information Center: Common Questions. Visited November 3, 2014 (regarding a data breach discovered in February/March, 2013). Online: >< ;

The Associated Press in Washington. Records of up to 25,000 Homeland Security staff hacked in cyber-attack.

Published Saturday August 23, 2014, on Online: ><

[16] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013, on Online: ><

[17] Sophie Curtis. Credit card details of 20m South Koreans leaked. Published January 20, 2014, on Online: ><, comments on the Korea Credit Bureau case by Matt Middleton-Leal, regional director for the UK and Ireland at security firm CyberArk.

[18] Id.

[19] Indeed, both of the monumental hacks – at Target and Korea Credit Bureau, were accomplished through third parties: Krebs on Security, Email Attack on Vendor Set Up Breach at Target. Published February 12, 2014, on Online: >< ; Lucian Ciolacu. Contractor with USB Stick Commits Biggest Credit Card Data Heist in South Korean History. Published January 21, 2014, on Online: ><

As a result, some banks with their own compliance concerns, are now quite nervous about their law firms as vulnerable third parties. See e.g. Jennifer Smith and Emily Glazer of Dow Jones Business News. Banks Demand That Law Firms Harden Cyberattack Defenses. Published October 26, 2014, on Online: ><

[20] Id. Jennifer Smith and Emily Glazer of Dow Jones Business News.

[21] Kara Scannell in New York. NY bank regulator targets cyber threat. Published October 6, 2014, on Online: >< quote of Benjamin Lawsky, Superintendent for New York’s Department of Financial Services.

[22] Sharon D. Nelson & John W. Simek. Clients Demand Law Firm Cyber Audits. Published in ABA Law Practice Magazine Vol 39, Number 6 (Nov./Dec. 2013) Online: ><

[23] As with a stolen credit card, a bounced cheque, or counterfeit cash, for example.

[24] As with a man in the middle attack (spoofed eCommerce website, or legitimate but infected site with cross-site scripting), for example.

[25] As in advance fee fraud, for example.

[26] In July of 2011, two websites (Cyworld and Nate) run by SK Communications of South Korea were breached, resulting in a loss of some 35 million records. “Hackers are believed to have stolen phone numbers, email addresses, names and encrypted information about the sites’ many millions of members.” See BBC. Millions hit in South Korean hack. Published July 28, 2011, on Online: >< . One year later, in July, 2012, South Korean authorities announced arrests in the case of hacks impacting 8.7 million users at KT Corp, the nation’s number one fixed line operator and number two mobile operator.


“The company says hackers stole subscribers’ names, phone and personal identification numbers, and then sold the data to telemarketers.”


“An illegally installed computer program had collected subscribers’ information over several months, KT Corp said.”


See BBC. South Korea arrests phone firm KT Corp hacking suspects. Published July 30, 2012, on Online: ><

[27] To impact the Personally Identifiable Information (PII) records of 40% of an entire nation’s population in a single stroke, is certainly a major scoop, by any reckoning. Especially ironic, are the circumstances of this hack:


Customer details appear to have been swiped by a worker at the Korea Credit Bureau, a company that offers risk management and fraud detection services.” (Where were the vendor due diligence, segregation of duties, and the internal fraud controls?) (Emphasis added).


“The worker, who had access to various databases at the firm, is alleged to have secretly copied data onto an external drive over the course of a year and a half.” (Where were the access and event logs, “business need only” access privilege limitations, and random audits?) (Emphasis added).


See Sophia Yan and K.J. Kwon. Massive data theft hits 40% of South Koreans. Published January 21, 2014, on Online: >< See also supra, note 13, Jim Finkle and Karen Freifeld (JPMorgan Chase & Co.).

[28] Foreign and Commonwealth Office of the United Kingdom. Guidance: Overseas Business Risk – South Korea.

Last updated May 27, 2014, and published on Online: ><

[29] Id.

[30] Daniela Forte. South Korea Stands Out as Ecommerce Market for U.S. Retailers. Published June 19, 2014, on Online: ><

[31] The Associated Press. Korea has nearly as many cell phones as people. Last updated January 28, 2009, and published on Online: ><

[32] Id., and supra note 30.

[33] Supra note 30.

[34] Reuters. Paper is passe for tech-savvy South Koreans. Published Friday, May 9, 2008, on Online: ><

[35] Gordon Hamilton. Asia Pacific report: South Korea now a global technology tiger. Published November 25, 2013, on Online: ><

[36] Sarah Jones. South Korea boasts highest global credit card penetration: report. Published June 27, 2014, on Online: ><

[37] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Published November 1, 2013, on Online: ><

[38] Ekundayo George. To Gatto from Zubulake: 2 Thumbs-up for Better Information Governance/Anti-Spoliation. Published March 31, 2013, on Online: ><

[39] Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right. Published March 11, 2013, on Online: >< You cannot leave everything to a vendor or counterparty, if and when you are primarily responsible for your own security and the security of the data that you host at rest, in transit, or subject to access and change, for others.

[40] Terry Collins and Anne D’Innocenzio for The Associated Press. Twitter hackers nab data on 250,000 accounts. Published February 2, 2013, on Online: ><

[41] Ben Elgin, Dune Lawrence and Michael Riley. Coke Gets Hacked And Doesn’t Tell Anyone. Published November 4, 2012, on Online: >< This kind of silence is changing, however, due to increasing regulatory focus on cyber risks and cyber events, and a push for timely and full disclosure and remediation when it may impact the bottom line, systemically important entities, or public or investor confidence.

[42] China and India are the most populous nations on earth, with well over 1 Billion citizens, each; but comparatively (with all other nations) very low ratios of banked citizens, and citizens with access to organized credit facilities. The promised easing of China’s restrictions on foreign credit card issuers paves the way for many of the entry-market credit card products that we see in the West – secured cards, rechargeable cards, debit cards, and the like, along with the juicy fees for annual access, loading, overdrafts, late payments, cash advances, and per transaction. Of course, this will require the taking, keeping, and updating of vast amounts of data on a vast population; creating a single and captive, target rich environment of irresistible size that will remain very vulnerable to any lapses in data governance and/or cyber best practices. See generally Joe McDonald of The Associated Press. China easing credit card monopoly opening door for Visa, MasterCard. Published October 30, 2014, on Online: ><

[43] Ekundayo George. Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec. Published May 16, 2013, on Online: ><

[44] See e.g. Supra note 12, Ben Elgin, Michael Riley, and Dune Lawrence (Home Depot).

%d bloggers like this: