'Information Leakage Phobia' Spreads Across Financial Sector After Shinhan Card Incident... FSS Inspection Under Close Watch

Following a series of information leakage incidents at Woori Card, SGI Seoul Guarantee, Welcome Financial Group, Lotte Card, and Coupang Pay, Shinhan Card has also experienced a data breach, fueling a growing "information leakage phobia" across the financial sector. Shinhan Card explained that the incident involved the external leakage of approximately 190,000 records, including mobile phone numbers of merchant representatives, due to moral hazard among employees at local branch offices. The company emphasized that this was not a system incident caused by hacking or other cyberattacks. The Financial Supervisory Service (FSS) also stated that there is no evidence of credit information such as customer card numbers or account numbers being leaked, and as of now, it has not decided whether to conduct an on-site inspection.

However, there are concerns that, given the similarities to past cases of credit card sales violations at Woori Card, the incident may lead to inspections or audits by financial regulators. At that time, the Personal Information Protection Commission (PIPC) imposed an administrative fine of 13.4 billion won on Woori Card, and the FSS conducted a two-week on-site inspection. As a result, the financial sector is closely watching whether additional regulatory action will follow the Shinhan Card incident.

The exterior view of Shinhan Card headquarters in Euljiro, Jung-gu, Seoul. Shinhan Card

Shinhan Card announced that it reported the leakage of a total of 192,088 records, including merchant representatives’ mobile phone numbers, to the PIPC on December 23. Specifically, the leaked information includes 181,585 merchant representatives’ mobile phone numbers, 8,120 records containing mobile phone numbers and names, 2,310 records with mobile phone numbers, names, birth years, and gender, and 73 records with mobile phone numbers, names, and dates of birth. The leaked data was reportedly used for new card recruitment purposes.

The details of the incident were also released. According to Shinhan Card, on November 12, the PIPC received a public interest report regarding the information leakage and requested preliminary data submission before launching an investigation. The next day, Shinhan Card began an internal investigation by comparing approximately 280,000 merchant records submitted by the whistleblower with its own data. Over the following two weeks, the company digitized the submitted materials, compared them with its own database, and conducted face-to-face interviews with relevant employees.

As a result, Shinhan Card confirmed on December 23 that, between March 2022 and May 2025, information for 192,088 new merchants-including business registration numbers, business names, addresses, and phone numbers-had been leaked externally. The company subsequently reported the incident to the PIPC and notified the FSS as well.

The internal investigation found that 12 employees from sales offices under the Chungcheong and Jeolla branches had provided merchant information to former Shinhan Card recruiters in order to boost card sales performance. Shinhan Card has removed all involved employees from their duties and plans to determine the level of disciplinary action-such as police reports, recommended resignation, dismissal, or pay cuts-based on the results of the PIPC investigation and any criminal findings. A Shinhan Card representative stated, "Once the investigation into the employees’ misconduct and legal violations is complete, we will take additional action as necessary, including reporting to law enforcement agencies."

Both Shinhan Card and the FSS stated that, so far, there is no evidence of credit information such as customer card numbers or account numbers being leaked. They also believe that the likelihood of the leaked information spreading further is low. However, there remains a possibility of administrative fines or corrective orders from the PIPC, as well as on-site inspections or ad hoc audits by the FSS, so the situation is being closely monitored.

Previously, on March 27, the PIPC found Woori Card in violation of the Personal Information Protection Act for providing merchant personal information to card recruiters to attract new credit card sign-ups, imposing an administrative fine of 13,451,000,000 won and issuing a corrective order. Woori Card’s Incheon Sales Center accessed the names, resident registration numbers, mobile phone numbers, and addresses of at least 131,862 individuals through its merchant management program over approximately 21 months from July 2022 to April last year. Subsequently, information on merchants without cards was provided to recruiters via KakaoTalk and email. During this process, at least 207,538 individuals’ personal information was accessed, and some of it was transmitted externally.

The Shinhan Card case is structurally similar to the Woori Card incident in that internal employees provided information for business purposes, raising the possibility that the PIPC and FSS will closely examine whether there were violations of the Personal Information Protection Act or other relevant laws.

Within the financial sector, this incident is not considered a cyber incident caused by external hacking, as was the case with Lotte Card or Coupang Pay, but rather a case that exposes weaknesses in internal control systems. Particularly, as card companies are required to submit responsibility structure diagrams to regulators by July 2 of next year, concerns are being raised that regulatory oversight may be strengthened across the industry due to this incident, which resulted from employees’ moral hazard. The timing is also considered unfavorable, as the incident occurred just after the FSS established a new Consumer Protection Division directly under Governor Lee Chanjin and made related personnel changes.

A Shinhan Card representative stated, "We will do our utmost to protect customers and prevent similar incidents from recurring. Although further investigation is needed to determine whether this constitutes 'use of personal information for purposes other than intended' or an 'information leakage,' we are taking measures equivalent to an information leakage to protect our customers."

Meanwhile, after the Lotte Card data breach, the FSS conducted ad hoc inspections and also launched an on-site inspection following the Coupang Pay incident. An FSS official commented, "This case is being treated as a financial incident caused by employee misconduct, not a system (electronic financial) incident. However, we will decide whether to conduct an inspection or audit based on the results of further confirmation regarding the leakage of credit information."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.