The person who stole credit card firms' customer data allegedly sold the information to a middleman, according to the prosecution and the Financial Supervisory Service (FSS) Friday.
This is contrary to the authorities' earlier announcement that the data was not disseminated. It is not yet known whether the information was used for any financial scams.
Prosecutors said they found that the data thief ― a staffer at the Korea Credit Bureau (KCB), a credit information service provider ― offered information about millions of clients to the middleman.
The staffer, surnamed Park, was arrested in January for allegedly stealing information related to more than 104 million credit cards issued by KB Kookmin Card, Lotte Card and NH NongHyup Card.
The stolen data included clients' names; resident registration numbers; cell, home and office phone numbers; home and office addresses; bank account numbers with which they paid credit card bills; and the expiration dates of the cards.
Park has claimed so far that he offered part of the information to one of his friends for 16.5 million won and kept the rest, saying he gave it to nobody else.
However, prosecutors said they believe he sent millions of pieces of data to a third party, declining to say whether it was from a confession or fresh evidence of money transactions. They said they will soon announce additional information about their investigation into the data theft.
The prosecution recently asked the FSS to launch a second inspection of the three card firms in light of the latest information.
"What we've learned is that part of the stolen data was sent to a third party. It seems there is no evidence so far that the information was used in scams," an FSS official said.
This fresh allegation is embarrassing the financial authorities, which had said that they were sure there were no additional leaks.
"We said so following the prosecution's earlier results," the official said.
The FSS plans to order the card companies to notify customers of any possible damage.
It expects not many clients will seek reissuance or cancellation of their credit cards because of the new information, as 4 million cardholders already done since the theft was first reported in January.
The affected card companies said they would compensate customers for any damage caused by the theft.
In the wake of the data breach, the FSS and the Financial Services Commission presented a string of customer data protection measures earlier this week, including the encoding of resident registration numbers, tougher penalties for data thieves and financial firms involved, and restrictions on data-sharing among affiliates of a financial group.
The incident also forced the heads of the three card firms and the KCB to resign.
"We announced the countermeasures, but before coming up with complementary measures, we need to wait for results of the prosecution's probe," the official said.