[25.12.23] Over 190,000 Merchant Personal Records Leaked at Shinhan Card

Over 190,000 Merchant Personal Records Leaked at Shinhan Card…12 Employees Illegally Collected Data Over Three Years

📍Not a hacking incident but internal misconduct for card sales purposes, exposing serious failures in supervision and internal controls

Shinhan Card has confirmed that more than 190,000 records of merchant owners’ personal information were leaked internally over an extended period. The incident was not caused by external hacking but by 12 employees who manually collected personal data over several years, raising growing concerns over weak management and supervision of personal information within financial institutions.

Shinhan Card revealed that over 190,000 pieces of personal information, including merchant mobile phone numbers, were manually stolen by 12 internal employees over several years.

---

🔹 Large-Scale Internal Leak Revealed Through External Tip-Off
Shinhan Card announced on the 23rd that it reported an estimated 192,088 leaked records of merchant information to the Personal Information Protection Commission. The leaked data includes merchant names and addresses, as well as merchant owners’ mobile phone numbers.

The company became aware of the breach on the 12th of last month after receiving a request for clarification from the commission, which had obtained the information through an external whistleblower.

Beginning the following day, Shinhan Card launched an internal investigation. It digitized 2,247 photo files submitted by the informant and cross-checked them against its internal database. The company also examined whether there were any records of printed materials, external data transfers, or other signs of system intrusion, while conducting face-to-face interviews with employees suspected of involvement. 

🔹 Twelve Employees Collected Personal Data Over More Than Three Years
The investigation confirmed that a total of 12 employees from five separate sales offices were involved in the data leakage. Between March 2022 and May 2025—a period of approximately three years and two months—they systematically collected personal data of newly registered merchants.

The leaked information included 181,585 mobile phone numbers, 8,120 cases combining phone numbers and names, 2,310 cases including phone numbers, names, birth year, and gender, and 73 cases containing phone numbers, names, and full dates of birth. Shinhan Card stated that no resident registration numbers, card numbers, or bank account information—classified as sensitive credit information—were leaked.

🔹 “For Card Sales Purposes”…Data Taken by Photographing or Handwriting
Because internal regulations prevented employees from directly downloading personal data files from company servers, those involved resorted to photographing information displayed on computer monitors or manually writing it down. According to the company, the employees claimed they intended to use the information to contact new merchants for card sales activities.

Shinhan Card emphasized that, so far, there is no evidence of external hacking, unauthorized server access, or secondary leakage of the information to third parties.

🔹 Criticism Over Lapses in Internal Supervision
Given that multiple employees were able to engage in similar misconduct over a long period without detection, criticism over Shinhan Card’s lack of internal oversight appears unavoidable. Observers point to the sales-driven culture within the financial sector as a factor that may have dulled employees’ awareness of personal data protection obligations. 

Kang Hyung-gu, vice chairman of the Korea Federation of Financial Consumers, said, “The fact that several employees leaked information in similar ways indicates that internal control systems failed to function properly.” He added, “In an environment where sensitive personal data is accessible, roles and access privileges should have been far more strictly segregated.” 

🔹 Disciplinary and Criminal Measures Under Review
Shinhan Card has placed all 12 employees on immediate suspension and is conducting additional investigations to determine disciplinary actions and whether to file criminal complaints. While sensitive credit information has not been confirmed as leaked—meaning financial regulators have not yet intervened directly—further findings could lead to on-site inspections or special audits by the Financial Supervisory Service.

Previously, the Personal Information Protection Commission imposed a fine of 13.4 billion won on Woori Card for a similar case involving the leakage of 75,000 merchant records.

🔹 Apology Issued and Measures to Prevent Recurrence
Shinhan Card has posted a formal apology under the name of its CEO on its website and has begun individually notifying affected merchant owners. The company plans to further restrict access to personal data, expand masking and anonymization measures, strengthen employee training, and reflect personal data protection compliance more heavily in performance evaluations.

Park Chang-hoon, CEO of Shinhan Card, stated, “If any damage results from this personal information leak, we promise to promptly verify and compensate affected customers,” adding, “We sincerely apologize once again and will do our utmost to ensure that customers can use Shinhan Card’s services with confidence.”

One-line summary : Shinhan Card faces criticism after 12 employees illegally collected and leaked over 190,000 merchant records over three years due to weak internal controls.