South Korea’s Shinhan Card Data Breach Affects 192,000 Merchants

The Shinhan Card data breach has exposed the personal information of approximately 192,000 card merchants, the South Korea–based financial services company confirmed on Tuesday. The incident, which involved the unauthorized disclosure of phone numbers and limited personal details, has been reported to the country’s Personal Information Protection Commission (PIPC).

According to Shinhan Card, the breach affected self-employed individuals who operate franchised merchant locations and had shared personal details as part of standard merchant agreements. The company said there is currently no evidence that sensitive financial information, such as credit card numbers, bank account details, or national identification numbers, was compromised.

Employee Misconduct Identified as Cause of Shinhan Card Data Breach

In a statement, Shinhan Card clarified that the Shinhan Card data breach was not the result of an external cyberattack. Instead, the company suspects internal misconduct, with an employee at a sales branch allegedly transmitting merchant data to a card recruiter for sales-related purposes.

“This was not due to external hacking but an employee’s misconduct,” a Shinhan Card official said, adding that the internal process involved has since been blocked. The company launched an internal investigation immediately after becoming aware of the incident and has taken steps to prevent similar actions in the future.

Scope of Personal Information Leak

The leaked data primarily involved mobile phone numbers, which accounted for roughly 180,000 cases. In about 8,000 instances, phone numbers were leaked alongside names. A smaller subset of records also included additional details such as birthdates and gender.

Shinhan Card stated that its investigation has not identified cases where citizen registration numbers, card numbers, account details, or credit information were exposed. At this stage, the company has also said that no confirmed cases of misuse of the leaked information have been reported.

The personal information leak affected merchants who signed contracts with Shinhan Card between March 2022 and May 2025, according to findings shared with regulators.

Shinhan Card Data Breach Timeline and Regulatory Notification

The breach came to light last month following a report submitted to the Personal Information Protection Commission, South Korea’s data protection authority. After receiving the notification, the PIPC requested supporting materials from Shinhan Card to assess the scope and cause of the incident.

Following its internal review, Shinhan Card formally reported the data breach to the PIPC on December 23, complying with regulatory disclosure requirements. The company has continued to cooperate with authorities as the review process continues.

Company Response and Merchant Support Measures

In response to the Shinhan Card data breach, the company published an apology and detailed guidance on its website and mobile application. It also launched a dedicated page allowing affected merchants to check whether their personal data was compromised.

“We will make every effort to protect our customers and prevent similar incidents from recurring,” a Shinhan Card spokesperson said. The company has emphasized that it is strengthening internal controls and reviewing access permissions related to merchant data.

Shinhan Card also urged merchants to remain vigilant for potential phishing or unsolicited contact attempts, even though no additional harm linked to the leaked data has been confirmed so far.

Broader Implications for Financial Data Protection

The Shinhan Card data breach incident highlights ongoing challenges around data governance and insider risk within financial institutions, even as companies continue to invest heavily in cybersecurity defenses against external threats. While many breaches globally involve hacking or ransomware, incidents stemming from employee misconduct remain a persistent concern for banks and payment providers.

Authorities have not yet announced whether penalties or corrective actions will follow the investigation. For now, Shinhan Card maintains that it is focused on customer protection and restoring trust following the incident.