Organisation: Shinhan Card
Incident date: Identified November 2025; disclosed December 23, 2025
Nature of incident: Insider data leak and unauthorized use
Status: Confirmed
Reported by: Shinhan Card; Personal Information Protection Commission (PIPC)
South Korea’s largest credit-card issuer, Shinhan Card, has reported a personal data breach affecting roughly 190,000–192,000 merchant representatives after an employee misused internal customer records. The company disclosed the incident publicly and notified the Personal Information Protection Commission (PIPC), prompting coverage by national media and regulatory-focused outlets.
According to Shinhan Card’s statement, the incident came to light after a whistle-blower reported evidence of unauthorized data use to the PIPC. Regulators requested materials from Shinhan Card on November 12, after which the firm began an internal investigation comparing the whistle-blower’s evidence with internal logs and records. The company concluded that an employee had improperly extracted and used merchant-related data to support new card-recruitment activities.
Shinhan Card says the leak involved 192,088 records tied to merchant operators. Most entries contained only mobile phone numbers, but a subset also included names, birth year, or full date of birth, and gender. The issuer emphasizes that no resident registration numbers, card numbers, account numbers, or other core financial credentials were involved and that the data did not relate to ordinary retail cardholders.
For affected merchant representatives, the exposure of phone numbers and limited demographic data still creates a meaningful risk of targeted phishing, smishing, and social-engineering attempts, especially if attackers were to obtain or reuse the dataset. Shinhan Card says it has no evidence that the information was widely disseminated, but the company is contacting impacted individuals and providing guidance on handling suspicious calls or messages.
At a systemic level, the case highlights insider-risk challenges in large financial institutions that manage high-volume merchant and customer datasets. The breach has drawn attention from privacy-law specialists and regulators, who are examining Shinhan Card’s internal controls, logging, and access-management practices as part of the PIPC oversight process.
Shinhan Card has issued a formal apology from its CEO, reported the incident to the PIPC, and set up a dedicated channel for potentially affected merchant operators to verify whether their data was involved. The company says it is strengthening internal monitoring, tightening staff access to marketing datasets, and reviewing disciplinary measures related to employee misconduct.
This insider-driven leak underscores the need for robust data-loss prevention, least-privilege access controls, and proactive audit mechanisms in financial services environments, even where traditional perimeter defenses remain intact.