Shinhan Card Reports Data Breach Affecting 190,000 Merchant Representatives
Shinhan Card disclosed a data breach involving approximately 192,088 records of merchant representatives, marking the latest in a series of recent leaks affecting major South Korean firms, including Coupang, KT, SK Telecom, and Lotte Card. The incident, reported to the Personal Information Protection Commission (PIPC) on Tuesday, was attributed to internal employee misconduct related to new card solicitation rather than external hacking.
The exposed data included:
- 181,585 records containing only mobile phone numbers
- 8,120 records with phone numbers and names
- 2,310 records with phone numbers, names, birth years, and gender
- 73 records with phone numbers, names, and full dates of birth
Shinhan Card confirmed that no highly sensitive information—such as resident registration numbers, card details, or bank accounts—was compromised. The breach was limited to merchant representatives, with no impact on individual cardholders. The company stated that the leak stemmed from isolated employee actions and posed no further dissemination risk.
The case came to light after a whistleblower submitted evidence to the PIPC, prompting an investigation. Shinhan Card began reviewing the allegations on November 13, verifying the breach through internal records. Following the findings, the company issued a public apology, notified affected merchants, and launched a webpage for individuals to check their exposure.
While Shinhan Card has taken measures equivalent to those for a data breach, further review is needed to classify the incident officially. The company pledged to strengthen protections to prevent future occurrences.
Security Investment Trends Lag Despite Rising Breaches
A recent survey by market tracker Leaders Index revealed that while major South Korean firms increased IT spending by 31.2% (from 16.5 trillion won in 2022 to 21.6 trillion won in 2024), information security investment grew only marginally in proportion—from 5.8% to 5.9% of total IT budgets. Security staffing saw a similar trend, with dedicated personnel rising 22.3% but remaining at just 6.7% of IT workforce share. Analysts noted that despite absolute increases, security priorities continue to trail broader technology spending.
Shinhan Card TPRM report: https://www.rankiteo.com/company/shinhan-card
"id": "shi1766477260",
"linkid": "shinhan-card",
"type": "Breach",
"date": "11/2025",
"severity": "60",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '192,088 card merchant '
'representatives',
'industry': 'Finance',
'location': 'South Korea',
'name': 'Shinhan Card',
'size': 'Large (Top 500 by revenue in South Korea)',
'type': 'Financial Services (Credit Card Issuer)'}],
'attack_vector': 'Internal Misconduct',
'customer_advisories': 'Dedicated webpage for individuals to verify if their '
'data was exposed.',
'data_breach': {'data_exfiltration': 'No evidence of further dissemination',
'number_of_records_exposed': '192,088',
'personally_identifiable_information': 'Yes (Phone numbers, '
'names, dates of '
'birth)',
'sensitivity_of_data': 'Low to Moderate (No resident '
'registration numbers, card numbers, '
'or bank details)',
'type_of_data_compromised': ['Mobile phone numbers',
'Names',
'Year of birth',
'Gender',
'Full dates of birth']},
'description': 'Shinhan Card reported a personal data breach involving around '
'190,000 records, including the mobile phone numbers of '
'merchant representatives, caused by internal misconduct by '
'employees linked to new card solicitation.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': '192,088 records',
'identity_theft_risk': 'Low (No highly sensitive data exposed)',
'payment_information_risk': 'None (No card or bank details '
'compromised)'},
'investigation_status': 'Completed (Initial review by PIPC pending '
'classification)',
'lessons_learned': 'Internal misconduct can lead to significant data breaches '
'even without external hacking; proportional security '
'investment remains stagnant despite rising threats.',
'motivation': 'New Card Solicitation (Non-Malicious)',
'post_incident_analysis': {'corrective_actions': 'Enhanced internal controls, '
'potential reclassification '
'of incident, measures to '
'prevent recurrence.',
'root_causes': 'Internal employee misconduct '
'related to new card solicitation; '
'lack of proportional security '
'investment and oversight.'},
'recommendations': 'Increase proportional spending on information security, '
'enhance employee training on data handling, implement '
'stricter access controls for sensitive data, and '
'prioritize security in broader IT spending.',
'references': [{'source': 'The Korea Herald (Jun Ji-hye)'},
{'source': 'Shinhan Card Official Disclosure'},
{'source': 'Leaders Index Survey'}],
'regulatory_compliance': {'regulations_violated': 'Potential violation of '
"South Korea's Personal "
'Information Protection Act '
'(PIPA)',
'regulatory_notifications': 'Reported to Personal '
'Information Protection '
'Commission (PIPC)'},
'response': {'communication_strategy': 'Public disclosure on website, formal '
'apology, dedicated webpage for '
'verification',
'containment_measures': 'Internal review, whistleblower evidence '
'verification, dedicated webpage for '
'affected individuals to check exposure',
'remediation_measures': 'Formal apology, notification to '
'affected merchant representatives, '
'measures equivalent to data leak cases'},
'stakeholder_advisories': 'Affected merchant representatives notified; public '
'apology issued.',
'threat_actor': 'Employees (Internal)',
'title': 'Shinhan Card Personal Data Breach Involving Merchant '
'Representatives',
'type': 'Data Breach'}