Shinhan Card headquarters in Seoul. The company has reported massive data leaks. Photo by Yonhap
SEOUL, Dec. 26 (UPI) — Shinhan Card, one of the country’s top credit card issuers, reported a massive data leak Tuesday.
The Seoul-based company said more than 190,000 cases of potential data exposure have been identified that involve merchant partners’ personal and business information.
The incident seems to stem from employee actions rather than an external cyberattack. Against this backdrop, Shinhan Card CEO Park Chang-hun issued a formal apology.
“We would like to express our deepest apologies,” he said. “Upon discovering the incident, we immediately took measures to block any further leaks and completed a thorough review of our internal processes.”
“To ensure the protection of personal information in the future, we will conduct a full investigation into the cause and circumstances of the leak and strictly discipline the employees involved,” he said.
Despite the steps, criticism intensified as a series of security failures have taken place throughout this year.
In late November, the country’s leading online retailer, Coupang, acknowledged that the names, email addresses, phone numbers and delivery addresses of 33.7 million customers had been leaked.
The New York Stock Exchange-listed corporation could face fines amounting to a maximum of 3% of its related revenue, which is levied by the state-run Personal Information Protection Commission.
Since Coupang logged sales of some $28 billion in 2024, potential fines could surpass $800 million.
Earlier this year, SK Telecom admitted that a cyberattack had breached its network, exposing sensitive data and compromising critical information of about 23 million subscribers.
As a result, the top mobile operator was fined $92 million and ordered to suspend adding new customers for nearly two months, in accordance with government guidelines.
Criticizing companies that failed to protect customer information, Prime Minister Kim Min-seok vowed to more than triple the fines for similar violations.
“Urgent legislative tasks, such as the introduction of punitive administrative fines, will be swiftly advanced so that they can be passed as soon as possible,” Kim said at a government meeting Wednesday.
“For repeated and serious violations, we will introduce punitive fines of up to 10% of a company’s total revenue and strengthen the obligation to notify individuals of personal data breaches,” he said.
When corporate data leaks are reported, the South Korean government is quick to lash out at companies. However, critics argue that the government and state-operated organizations have failed to adequately protect their own data.
In 2021, the Atomic Energy Research Institute, the state-run outfit responsible for nuclear power research, was breached by a suspected North Korean state-backed group through a virtual private network server.
Last year, police found that North Korean hackers had stolen data from the National Court Administration during June 2021 and January 2023. The compromised data exceeded 1 terabyte, equivalent to more than 1.5 billion pages of documents, including personal information.
Despite these threats, the government is reluctant to spend more money to mitigate cybersecurity risks.
For example, the Seoul administration cut the 2026 budget for the operation and maintenance of integrated security control centers run by local governments by almost 30% compared with this year.
It also reduced the 2026 budget for reinforcing security and protection facilities at government complexes by more than 40%.
This contrasts with the 8.1% year-on-year increase in the national budget for 2026.
“When hacking incidents occur, harsh penalties are imposed on private enterprises. For government agencies, however, it seemingly ends up with only a slap on the wrist. Such asymmetric punishments are not difficult to understand,” economic commentator Kim Kyeong-joon, formerly vice chairman at Deloitte Consulting Korea, told UPI.
“Moreover, the government is required to strengthen the country’s cybersecurity infrastructure. And leaks of public data or documents are even more dangerous when they are related to national defense. I wonder whether our government is doing enough in these areas,” he said.
Park Tae-hwan, head of the AhnLab CyberSecurity Center, called for stronger efforts to counter online threats and data breaches. AhnLab is the country’s leading cybersecurity vendor.
“Following a series of cyber intrusion incidents of late, regulations centered on bigger fines and punitive measures have come to the forefront, raising the burden on companies,” Park told UPI.
“To enable a meaningful shift in perception, a parallel policy approach is needed, like one that provides incentives to companies with strong security practices, thus encouraging greater voluntary investment in cybersecurity by the private sector,” he said.