HanaTour: Gaining Customer Trust Through Increased Security
HanaTour International Service is South Korea's largest provider of overseas travel services and air tickets. HanaTour employs nearly 2,500 people in Korea and travel agents outside Korea to provide clients with travel information for about 26 regions worldwide.
HanaTour customers who book travel provide the company with personal details, including their addresses, contact phone numbers, dates of birth, passport numbers, and payment information. These details, along with their airline and tour bookings and travel itineraries, are stored in HanaTour's database. The confidential nature of this information means HanaTour must have security measures in place to protect the database from unauthorized access.

In addition to these marketplace requirements, HanaTour must comply with South Korea's Electronic Communication Privacy Act. That act requires industries to take measures to protect the privacy of personal information. Thus, protecting customer data is not only good business, but also a legal requirement.

To improve database security, HanaTour added data encryption, both in the database and during transmission. The company also implemented access control based on individual authorizations and assigned tasks. To discourage hacker attacks, HanaTour blocked database access even if a hacker obtained top-level administrator privileges for the system. They created an audit trail of database access to spot suspicious activities so that action could be taken immediately. They also published reports to show compliance with security requirements and used audit information to develop further security plans.

Like most small and medium-sized firms, HanaTour does not need the skills that this security upgrade called for on a permanent full-time basis. Rather than hiring and training staff members to address short-term needs and then releasing or finding other work for these employees, HanaTour engaged specialists. The company worked with Korean database consulting firm Wizbase. HanaTour had worked with Wizbase previously, so they didn't have to spend time explaining basic information about how HanaTour's business works.

The net result of these actions was to make it much more difficult for unauthorized people to see any of the personal information that HanaTour customers supplied. Did this help HanaTour? According to Kim Jin-hwan, director of the HanaTour's IT department, "Our business is based on service. We do not want anything to go wrong on a customer's holiday that will inconvenience them. Lost data or any disruptions to our system would affect our ability to provide optimum service. We upgraded our database to improve performance and take advantage of new security features, which would minimize the risk of losing confidential customer data and strengthen our database and systems from unlawful access."

Discussion Questions
1. From the user side, Mr. Kim said that HanaTour upgraded to a new release of its database management software due to its improved security features. What are the business advantages of improved security?

2. How does HanaTour use the data it collects from the audit to increase the security of its data?

Critical Thinking Questions
1. HanaTour chose Wizbase as its implementation partner in part because of prior experience with that firm. Many small-to-medium companies need to outsource security tasks because they lack the expertise. Does this present an added security risk? Why or why not?

2. Think of the data that your university's database has about students as a large table, with a row for each student and a column for each data element. Group the data into major categories such as contact data, medical data, financial data, academic data and so on. Which groups of people, by job, should have access to each category? Within a group, who should have access to only one row, who should have access to more than one row but not all rows, and who should have access to all rows of the table? Should anyone be allowed to see data but not change it?