South Korea’s Largest Travel Agency Breached, Hacker Demands Bitcoin Payment

Last month, Hanatour, South Korea’s largest travel agency suffered a major security breach, as hackers stole the personal information of over one million users. According to local news publications, hackers have demanded that Hanatour pay a one-time ransom payment in Bitcoin but the amount remains undisclosed.

According to South Korean travel associations and independent research firms, Hanatour has consistently been considered South Korea’s largest and most reputable travel agency when measured on revenue, client base and reviews. Since 2007, the company has aggressively moved into new international markets, establishing offices in popular tourist destinations including Japan and China.

According to recent reports, more than one million users have been affected. The company has notified its clients and the public that employee’s computers were targeted by hackers using sophisticated phishing attacks and malware, which allowed an unknown group of hackers to access the company’s servers where names, mobile phone numbers, social security numbers, home addresses, email addresses, and the telephone numbers of its clients were held. Hanatour further disclosed that the group responsible have demanded large sums of payments in Bitcoin in return for not leaking the data.

In the upcoming weeks, Hanatour will collaborate with government agencies and cybersecurity companies to investigate the attack. Considering the involvement of the South Korean law enforcement, it is highly unlikely that Hanatour will pay the Bitcoin ransom to secure the leaked information of users. But, given that the hackers have requested the company to settle the ransom payment in Bitcoin, there is also a possibility that the hackers could attempt to distribute user information on dark web marketplaces, as many hacking groups have done previously.

Recently, Bithumb suffered an attack using similar methods, where employee’s computers were targeted by direct phishing attacks and the distribution of malware. Almost immediately after the hack was discovered and reported to local law enforcement, South Korean government agencies including the Seoul Central Prosecutor’s Office for Advanced Criminal Investigation and the Seoul Metropolitan Police Agency’s Department of Cybercrime suggested that the attack may have been launched by a North Korean hacking group, as they have had launched similar attacks in the past, demanding Bitcoin ransoms.

As security research firm FireEye stated:

“In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing cyber espionage for traditional nation state activities.”

The Intricacies and finer details of the hack still remain undisclosed, however, the Hanatour security breach has been the largest cyber attack suffered by a travel agency and possibly the largest Bitcoin ransom-demanding hacking attack in South Korea.