More than 100 million records containing personal and financial information from customers of three major South Korean credit card companies were stolen when an employee of the Korea Credit Bureau illegally copied the data to a USB drive and sold it to telemarketers. The leak revealed weaknesses in how the companies protected sensitive customer information, as employees could easily access the data, USB storage was not restricted, and information was retained for over 30 years instead of being deleted after five years as required by law. It also exposed a lack of security culture as most companies saw data protection as an unnecessary expense rather than a critical business function.