Shinhan Card, South Korea’s largest credit card issuer, said on December 23 that personal data linked to about 190,000 merchant representatives was improperly accessed and shared by employees over a three year period, highlighting ongoing concerns around internal data controls in the country’s financial sector.
The company said roughly 192,000 records were leaked between March 2022 and May 2025. The exposed information included names, mobile phone numbers, dates of birth and gender details of franchise owners.
Shinhan Card said no resident registration numbers, card details or bank account information were involved and that the incident did not affect general customers.
According to the company, the breach was uncovered after a whistleblower submitted evidence to South Korea’s Personal Information Protection Commission, prompting an investigation.
Shinhan Card began an internal review after receiving a request for information from the regulator in mid November.
Investigators found that 12 employees across regional branches in the Chungcheong and Jeolla areas had taken screenshots or photos of merchant data and shared them via mobile messaging apps with external sales agents.
The information was allegedly used to solicit new card applications from recently registered merchants, including restaurants and pharmacies.
Shinhan Card said verifying the scale of the leak took several weeks because the data was spread across more than 2,200 image files containing about 280,000 merchant entries in varying formats.
Each file had to be checked against internal systems to confirm what information was exposed.
Chief Executive Park Chang hoon issued a public apology, saying the leak was caused by unauthorized employee actions rather than a cyberattack.
He said the company had blocked further access, completed internal audits and strengthened access controls. Shinhan Card said the employees involved would be held accountable.
The company added that affected merchants are being notified individually and can check their status through an online portal.
It said compensation would be provided if any damage is confirmed.
The incident adds to a series of internal data misuse cases in South Korea’s financial industry. Regulators said they are assessing whether the breach violates national data protection laws and what penalties may apply.
The Financial Supervisory Service said it has so far found no evidence that credit information was leaked but will continue to monitor the case.
Analysts say the Shinhan Card case underscores the growing risk posed by insider misuse as financial institutions expand digital services and data driven operations, putting renewed focus on employee oversight and internal governance.
