Shinhan Card reports data breach involving 190,000 merchant records

Shinhan Card headquarters in Seoul, Tuesday / Yonhap

Shinhan Card has reported a personal data breach involving around 190,000 records, including the mobile phone numbers of merchant representatives, to the state privacy regulator, the card issuer said Tuesday.

The incident marks the latest in a series of data breach cases involving major companies, following recent personal information leaks at firms such as Coupang, KT, SK Telecom and Lotte Card.

Shinhan Card said its internal review found that a total of 192,088 data records were exposed, adding that the incident was caused by internal misconduct by employees linked to new card solicitation, rather than by external intrusion such as hacking.

The leaked data included 181,585 cases involving only the mobile phone numbers of card merchant representatives; 8,120 cases combining phone numbers and names; 2,310 cases containing phone numbers along with names, year of birth and gender; and 73 cases involving phone numbers, names and full dates of birth.

The company said there was no indication that highly sensitive personal or financial information, such as resident registration numbers, card numbers or bank account details, had been compromised. It also stressed that the breach was limited to card merchant representatives and did not involve individual cardholders or customers.

The firm added that it sees no risk of further dissemination of the leaked data, as the incident was determined to have resulted from isolated employee misconduct related to new card marketing rather than malicious intent.

The case came to light after a whistleblower submitted evidence to the Personal Information Protection Commission (PIPC) indicating that personal data of card merchant representatives had been leaked.

Following the report, the commission requested relevant documents from Shinhan Card on Nov. 12. The company began reviewing the allegations the following day, comparing the whistleblower’s materials with internal records to verify the facts.

The card issuer disclosed the findings of its investigation on its website and issued a formal apology, while separately notifying the affected card merchant representatives. It also launched a dedicated webpage allowing individuals to check whether their personal data was involved.

“We deeply regret the concern caused by this incident and offer our sincere apologies,” Shinhan Card said, pledging to take all necessary steps to protect customers and prevent similar incidents in the future.

“Additional review is required to determine whether the case should be classified as unauthorized use of personal information or a data breach, but we are responding with measures equivalent to those applied in data leak cases to ensure customer protection,” it added.

gettyimagesbank

Amid a string of recent data breaches affecting companies across multiple industries, a recent survey suggests that major firms have not significantly increased the proportion of their spending dedicated to information security.

A survey by market tracker Leaders Index looked at IT investment by 87 companies among the nation’s top 500 by revenue that disclosed data through the integrated information security disclosure portal. It found investment rose from 16.5 trillion won ($$ 11 billion) in 2022 to 21.6 trillion won in 2024, an increase of 31.2 percent. Over the same period, spending on information security grew 32.8 percent, from 960 billion won to 1.3 trillion won.

Despite the increase, the share of security investment relative to total IT spending edged up only marginally, from 5.8 percent to 5.9 percent, indicating little substantive change.

Staffing trends showed a similar pattern. The number of employees dedicated to information security rose 22.3 percent, from 3,044 to 3,723, but their share of overall IT personnel increased by just 0.3 percentage point, from 6.4 percent to 6.7 percent.

“While companies have expanded information security budgets and staffing in absolute terms over the past three years, the lack of change in proportional investment suggests that security considerations continue to lag behind broader technology spending priorities,” a Leaders Index official said.