Unauthorized Access to Merchant Information for New Sign-ups
Personal Data Provided to Card Solicitors by Matching Resident Registration Numbers
Woori Card was fined 13.5 billion KRW for providing the personal information of approximately 70,000 merchants to card solicitors in order to attract new credit card sign-ups. On the 26th, the Personal Information Protection Commission held a plenary meeting and decided to impose a fine of 13.451 billion KRW on Woori Card for violating the Personal Information Protection Act, along with corrective orders.
The Commission confirmed that Woori Card's Incheon Sales Center used merchants' personal information for new card issuance marketing without their consent and that sales center employees passed this information to card solicitors. The use of merchants' personal information by the Incheon Sales Center spanned from July 2022 to April of last year. The issue arose from using both the merchant management program and the card issuance screening program together to attract new card sign-ups.
First, the business registration numbers of card merchants were entered into the merchant management program to retrieve personal information such as the names, resident registration numbers, mobile phone numbers, and addresses of at least 131,862 individuals. Next, the resident registration numbers of merchants were input into the card issuance screening program to check whether they already held credit cards issued by Woori Card. Subsequently, information on merchants without credit cards was shared with card solicitors via a KakaoTalk group chat.
From January 8 to April 2 of last year, personal information of 75,676 merchants was also sent to card solicitors via email more than twice a day, totaling 100 times.
Goh Hak-su, Chairperson of the Personal Information Protection Commission, is striking the gavel at the plenary meeting held on the 26th at the Government Seoul Office in Jongno-gu, Seoul. Provided by the Personal Information Protection Commission
In total, personal information of at least 207,538 merchants was accessed, and some of this information was passed on to card solicitors. Among the merchants whose personal information was used, 74,692 did not consent to marketing uses such as card product promotions.
A representative from the Personal Information Protection Commission stated, "Woori Card's violations of the Personal Information Protection Act include three main issues: using information collected for merchant management as a means for credit card issuance, unauthorized processing of resident registration numbers, and delegating personal information access rights to the sales center without properly monitoring access logs."
They added, "In particular, Woori Card granted database access rights to sales center employees regardless of their job duties, allowing them to view merchant information. Moreover, despite the sales center accessing and downloading over 30 million pieces of personal information monthly, no measures were taken."
The Commission ordered Woori Card to strengthen internal controls, comply with safety obligations, and enhance management and supervision of personal information handlers. It also required Woori Card to disclose the disciplinary actions on its website.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
