PIPC: "Criminal prosecution not under consideration"
Financial regulators conducted on-site inspection last year
Financial authorities: "Currently under review by disciplinary committee"
Woori Card: "Ongoing employee training and system monitoring"
Woori Card announced on the 27th that it has dismissed employees and card recruiters involved in the merchant owner personal information incident and blocked access to support systems belonging to the sales center. This follow-up action was taken after being fined over 13.4 billion KRW for using the personal information of approximately 74,000 merchant owners for marketing without consent.
The Personal Information Protection Commission (PIPC) announced that it passed a resolution at its plenary meeting the day before to impose a fine of 13.451 billion KRW and corrective orders on Woori Card for violating the Personal Information Protection Act.
According to the PIPC and Woori Card, the Incheon Sales Center of Woori Card accessed the personal information of 131,862 card merchant owners, including names, resident registration numbers, mobile phone numbers, and addresses, from July 2022 to April of last year.
From September 2023, they queried merchant owners’ personal information and Woori Card’s credit card holding status, then created personal information files. They utilized databases (DB) that process personal information of merchant owners and card members.
Between January and April of last year, the Incheon Center sent the personal information of 75,676 merchant owners to recruiters via email a total of 100 times. The center accessed information on at least 207,538 merchant owners in this manner and passed it on to recruiters, among whom 74,692 had never consented to marketing use. Transferring personal information without consent violated the legal provision that prohibits using personal information beyond the scope of its intended use.
Woori Card stated, "We recognized the facts through our internal control channels and immediately conducted an internal audit," adding, "In accordance with the Credit Information Protection Act procedures, we posted related information and an apology on the company website and took strict disciplinary actions including dismissing the involved employees and card recruiters."
They continued, "We have revoked internal terminal system access rights for employees belonging to the (Incheon) sales center and collectively withdrew DB access permissions," adding, "All external email exports now require approval from the Information Protection Department."
Furthermore, Woori Card emphasized, "We have improved internal control processes such as strengthening DB access control, improving DB permission segregation, and enhancing external email sending controls," and "We are currently establishing an information protection management system including a system to detect personal information in external emails."
The PIPC stated that the issue is not limited to the Incheon Center but is a problem across Woori Card as a whole. Kim Hae-sook, Head of Investigation Division 1 at PIPC, said, "Internal controls were lax, and there was no verification or inspection at the headquarters level," adding, "Woori Card requested consideration that the incident occurred only in some sales centers, but this was not accepted."
According to the PIPC, this is the first time a credit card company has been fined for transferring personal information to recruiters without consent. However, they are not currently considering criminal prosecution.
Kim said, "The respondent (Woori Card) must submit a response plan within 90 days from the official notification of the corrective order by the PIPC," adding, "Based on the submitted plan, we will decide whether to summon the respondent to present their opinion, impose fines, or pursue criminal charges."
Woori Card stated, "We deeply reflect on the PIPC’s pointed issues and are taking top priority measures to resolve the problems," adding, "To prevent recurrence of similar cases, we will further strengthen internal controls through employee training and continuous monitoring of information protection systems."
Meanwhile, financial supervisory authorities conducted an on-site inspection at Woori Card’s headquarters in Jongno-gu, Seoul, from April 29 to May 14 of last year regarding the incident. The case is currently before the Financial Supervisory Service’s disciplinary committee for review.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
