Shinhan Card, one of South Korea’s largest credit card companies, has disclosed a data leak involving the personal information of approximately 192,000 merchants. The company confirmed the incident on Tuesday and said it has notified the Personal Information Protection Commission, the country’s data protection regulator.
The affected individuals are self-employed merchants who operate franchised businesses and had provided personal information during standard onboarding and contract procedures. According to Shinhan Card, the exposed data was limited in nature and did not include sensitive financial or identification details.
The company stated that information such as credit card numbers, bank account data, citizen registration numbers, and credit records were not compromised. Based on its current review, Shinhan Card said there is no evidence that the leaked information has been misused.
Incident Linked to Internal Handling, Not External Attack
Shinhan Card clarified that the incident did not involve hacking or unauthorized system access from outside the organization. Instead, the company believes the leak resulted from improper internal data handling.
Preliminary findings indicate that an employee at one of the company’s sales branches shared merchant information with a card recruiter for sales-related purposes. The data transfer reportedly violated internal policies governing the use and distribution of personal information.
The company said the internal channel used to transmit the data has since been blocked. An internal investigation was launched immediately after the issue was identified, and Shinhan Card is reviewing employee access controls and oversight mechanisms.
Most of the leaked records consisted of mobile phone numbers, accounting for around 180,000 cases. In approximately 8,000 instances, phone numbers were shared alongside merchant names. A smaller portion of the records also included additional personal details such as date of birth and gender.
Shinhan Card stated that its investigation did not uncover any cases where more sensitive personal or financial data was included in the leak. The company also said that no confirmed cases of fraud, identity theft, or other misuse linked to the exposed information have been reported to date.
The affected data belongs to merchants who signed agreements with Shinhan Card between March 2022 and May 2025.
Regulatory Notification and Review Process
The issue first came to the attention of authorities last month, when a report was submitted to the Personal Information Protection Commission. Following the initial notification, the regulator requested additional documentation to assess the scope of the incident and determine how the data was handled.
Shinhan Card formally reported the breach to the commission on December 23, in line with South Korea’s data protection disclosure requirements. The company said it continues to cooperate with the regulator as the review process remains ongoing.
Company Response and Merchant Guidance
In response to the incident, Shinhan Card issued a public apology and published detailed information through its website and mobile application. A dedicated service page has been made available to allow merchants to check whether their personal data was affected.
The company has advised merchants to remain cautious of suspicious calls, messages, or unsolicited contact attempts, even though no misuse has been confirmed so far. Shinhan Card said it is strengthening internal controls and reviewing how personal data is accessed and shared within the organization.
Regulatory authorities have not yet announced whether corrective measures or penalties will follow. Shinhan Card has said it will continue cooperating with the review while monitoring for any signs of misuse related to the exposed data.
