Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Shinhan Card. Show all posts
South Korea
Cyber Security Data Breach Shinhan Card South Korea

Shinhan Card Probes Internal Data Leak Affecting About 190,000 Merchants

 

Shinhan Card, South Korea’s largest credit card issuer, said on December 23 that personal data linked to about 190,000 merchant representatives was improperly accessed and shared by employees over a three year period, highlighting ongoing concerns around internal data controls in the country’s financial sector. 

The company said roughly 192,000 records were leaked between March 2022 and May 2025. The exposed information included names, mobile phone numbers, dates of birth and gender details of franchise owners. 

Shinhan Card said no resident registration numbers, card details or bank account information were involved and that the incident did not affect general customers. According to the company, the breach was uncovered after a whistleblower submitted evidence to South Korea’s Personal Information Protection Commission, prompting an investigation. 

Shinhan Card began an internal review after receiving a request for information from the regulator in mid November. Investigators found that 12 employees across regional branches in the Chungcheong and Jeolla areas had taken screenshots or photos of merchant data and shared them via mobile messaging apps with external sales agents. 

The information was allegedly used to solicit new card applications from recently registered merchants, including restaurants and pharmacies. Shinhan Card said verifying the scale of the leak took several weeks because the data was spread across more than 2,200 image files containing about 280,000 merchant entries in varying formats. 

Each file had to be checked against internal systems to confirm what information was exposed. Chief Executive Park Chang hoon issued a public apology, saying the leak was caused by unauthorized employee actions rather than a cyberattack. 

He said the company had blocked further access, completed internal audits and strengthened access controls. Shinhan Card said the employees involved would be held accountable. The company added that affected merchants are being notified individually and can check their status through an online portal. 

It said compensation would be provided if any damage is confirmed. The incident adds to a series of internal data misuse cases in South Korea’s financial industry. Regulators said they are assessing whether the breach violates national data protection laws and what penalties may apply. 

The Financial Supervisory Service said it has so far found no evidence that credit information was leaked but will continue to monitor the case. 

Analysts say the Shinhan Card case underscores the growing risk posed by insider misuse as financial institutions expand digital services and data driven operations, putting renewed focus on employee oversight and internal governance.
Read more »
Shinhan Card
Credit Card Data Breach Personal Information Regulatory Compliance Shinhan Card

Shinhan Card Faces Regulatory Review Over Internal Data Sharing Incident

 



Shinhan Card, one of South Korea’s largest credit card companies, has disclosed a data leak involving the personal information of approximately 192,000 merchants. The company confirmed the incident on Tuesday and said it has notified the Personal Information Protection Commission, the country’s data protection regulator.

The affected individuals are self-employed merchants who operate franchised businesses and had provided personal information during standard onboarding and contract procedures. According to Shinhan Card, the exposed data was limited in nature and did not include sensitive financial or identification details.

The company stated that information such as credit card numbers, bank account data, citizen registration numbers, and credit records were not compromised. Based on its current review, Shinhan Card said there is no evidence that the leaked information has been misused.


Incident Linked to Internal Handling, Not External Attack

Shinhan Card clarified that the incident did not involve hacking or unauthorized system access from outside the organization. Instead, the company believes the leak resulted from improper internal data handling.

Preliminary findings indicate that an employee at one of the company’s sales branches shared merchant information with a card recruiter for sales-related purposes. The data transfer reportedly violated internal policies governing the use and distribution of personal information.

The company said the internal channel used to transmit the data has since been blocked. An internal investigation was launched immediately after the issue was identified, and Shinhan Card is reviewing employee access controls and oversight mechanisms.

Most of the leaked records consisted of mobile phone numbers, accounting for around 180,000 cases. In approximately 8,000 instances, phone numbers were shared alongside merchant names. A smaller portion of the records also included additional personal details such as date of birth and gender.

Shinhan Card stated that its investigation did not uncover any cases where more sensitive personal or financial data was included in the leak. The company also said that no confirmed cases of fraud, identity theft, or other misuse linked to the exposed information have been reported to date.

The affected data belongs to merchants who signed agreements with Shinhan Card between March 2022 and May 2025.


Regulatory Notification and Review Process

The issue first came to the attention of authorities last month, when a report was submitted to the Personal Information Protection Commission. Following the initial notification, the regulator requested additional documentation to assess the scope of the incident and determine how the data was handled.

Shinhan Card formally reported the breach to the commission on December 23, in line with South Korea’s data protection disclosure requirements. The company said it continues to cooperate with the regulator as the review process remains ongoing.


Company Response and Merchant Guidance

In response to the incident, Shinhan Card issued a public apology and published detailed information through its website and mobile application. A dedicated service page has been made available to allow merchants to check whether their personal data was affected.

The company has advised merchants to remain cautious of suspicious calls, messages, or unsolicited contact attempts, even though no misuse has been confirmed so far. Shinhan Card said it is strengthening internal controls and reviewing how personal data is accessed and shared within the organization.

Regulatory authorities have not yet announced whether corrective measures or penalties will follow. Shinhan Card has said it will continue cooperating with the review while monitoring for any signs of misuse related to the exposed data.



Read more »
Subscribe to: Comments (Atom)