 |
Photo courtesy of Yonhap News |
[Alpha Biz= Paul Lee] Shinhan Card, South Korea’s largest credit card company, is under scrutiny after failing to detect a major personal data leak by employees over a three-year period, raising questions about the effectiveness of its internal control systems.
According to financial industry sources on the 27th, Shinhan Card confirmed that staff from certain branches in the Jeolla and Chungcheong regions had unlawfully accessed and leaked personal information of approximately 190,000 merchant representatives between March 2022 and May 2025. The employees reportedly used screenshots and manual record-keeping to extract the data from internal systems.
Security experts caution that, given the prolonged duration of the leak, it is difficult to completely rule out the possibility of additional undiscovered data exfiltration.
Shinhan Card stated that the incident was not caused by external hacking, but by internal staff misconduct, and that the likelihood of the leaked information spreading further is limited. However, the scale and duration of the leak—spanning three years and involving 190,000 records—have raised concerns about potential secondary and tertiary damages.
The company’s 2024 Sustainability Report indicates that investment in information security has declined in recent years. The proportion of information security spending relative to total IT budgets fell from 10.8% in 2022 to 9.3% in 2023, and 8.2% last year. Employee cybersecurity training also decreased, dropping approximately 12.3% from 18,270 hours in 2023 to 16,023 hours in 2024.
Notably, Shinhan Card holds top-level national certifications and ratings in information security and personal data protection. The company has achieved the highest grade for four consecutive years (2021–2024) under the Financial Services Commission and Financial Supervisory Service’s ongoing information security evaluations, covering 59 assessment items. These results are regularly reported to the board and used externally to demonstrate the company’s information security capabilities.
Shinhan Card has also obtained the Information Security Management System-Personal Information Protection (ISMS-P) certification, the highest-level national accreditation verifying corporate information management and data protection standards in South Korea.
Despite these certifications, the fact that unauthorized data exfiltration by employees went undetected for over three years at a large financial institution with 15 million members highlights significant shortcomings in practical internal controls.
Industry observers expect the incident to trigger a comprehensive review of internal control systems across the credit card sector. Discussions are likely to accelerate regarding the adoption of new evaluation frameworks that move beyond formal assessments to test real-world cybersecurity capabilities.
Alphabiz Reporter Paul Lee(hoondork1977@alphabiz.co.kr)
