1TB Breach: Qilin Hits Welcome Financial Group in Korea
Yesterday, the ransomware group known as Qilin posted on their Tor site that they had allegedly compromised and exfiltrated data belonging to Welcome Financial Group, in a data heist amounting to 1,391,000 files totaling 1 TB (1,024 GB). .
Welcome Financial Group is headquartered in Seoul, South Korea, and operates as one of the largest non-bank financial institutions in the country. They also manage a variety of subsidiaries and partnerships in Vietnam, Laos, Cambodia, and the Philippines.
Qilin’s leak does not disclose the amount of the ransom demand or the deadline.
The ransomware group published a sample consisting of 10 screenshots, which appear to contain the following internal information:
- Confidential non-disclosure agreements (NDAs)
- Collateralized debt records (loan principals, accrued unpaid interest, repayment schedules)
- Property details (apartment foreclosure documents, addresses, appraisal values, and auction schedules/outcomes)
Shareholder registry including:
- Full names
- Resident Registration Numbers (Korea’s equivalent of Social Security Numbers)
- Home/business addresses and phone numbers
- Shareholdings and equity stakes
- Bank account details
- Personal Identifying Information of employees and executives
- Business registration numbers
- Dates of birth (executives, shareholders, and clients in KYC forms)
- And more.
Because resident registration numbers are the single most sensitive PII in Korea, in the wrong hands, they can give criminals an exorbitant amount of leverage in committing identity theft.
Qilin’s Scathing Rebuke
The ransomware gang left a scathing message for the financial company, which is a hallmark propaganda tactic recognizable from virtually any ransomware playbook, in a futile attempt to shift the blame and gaslight the viewers:
Welcome Financial Group, Korea is a huge ecosystem operating in the finance industry. The group provides banking, digitalization, payments, integrated asset management, distressed loans, residential leasing, and startup financing services to its clients.
Over the past 10 years, the company has opened several offices in the Asian region and is expanding its areas of operation. This is a great example of a new kind of company growing at an explosive pace. It would be if it focused on the security and privacy of its customers.
But Welcome Financial Group is extremely irresponsible in protecting important information. As a result, all internal data of the company was available to the public. This means that now anyone can find out absolutely all confidential information about the work of dozens of companies in the region.
Welcome Financial Group leaked the complete database of all its clients. These are names, dates of birth, home and office addresses, bank accounts, emails and much, much more. Numerous confidentiality agreements can be found in the published data, which are now null and void and should be used against Welcome Financial Group.
The Personal Data Protection Act (PIPA) and the Information and Telecommunications Network Development and Data Protection Act (IT Network Act) have been violated.
The choice of words, describing the financial company as a “huge ecosystem,” sets the tone of the victim’s size and importance, not only for a dramatic effect, but to maximize the reputational damage.
I digress, since the reality of the message merely frames the attack as a natural consequence of the victim’s supposed failure to maintain a strong cybersecurity posture, rather than as a crime committed by Qilin.
Lastly, the ransomware gang attempts to shift the blame away from themselves and onto the victim. However, without their intrusion, this information would never have been exposed. Qilin caused the data breach, regardless of any gaslighting meant to convince the reader or the company that Welcome Financial Group was responsible for the leak.
As a personal note, I would like to understand the mindset behind why any effort is made to convince others that cybercriminal organizations like Qilin bother to make such propagandistic statements, that any layperson can see through.