Shinhan Card confirmed that personal data of its franchise owners had been leaked but notified the individuals nearly 20 days late, drawing criticism that internal controls are not functioning properly. Under the Personal Information Protection Act, when personal data is leaked, victims must be informed of the leak within 72 hours, and violating this requirement results in fines.
According to the industry on the 24th, Shinhan Card sent text messages from 2 p.m. on the 23rd to notify victims of the personal data leak. Shinhan Card reported the matter to the Financial Supervisory Service on the 5th, when its data analysis and determination of the leak's cause were completed, but notified the individuals only 18 days later.
Shinhan Card said the previous day that 12 employees accessed internal systems from March 2022 to May this year, stole information such as franchise representatives' names and mobile phone numbers, and passed it to credit card recruiters to direct sales.
According to the Enforcement Decree of the Personal Information Protection Act, personal data controllers such as Shinhan Card must, upon learning of a leak, notify the victims (data subjects) within 72 hours of the leaked data and the timing and circumstances of the leak. Even if the types of leaked data and the timing and circumstances cannot be confirmed, they must still notify the fact of the data leak and what has been confirmed at that time. Violations are subject to fines of up to 30 million won.
Shinhan Card also reported the leak to the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA) only the previous day. According to the Enforcement Decree of the Personal Information Protection Act, even if specific details cannot be determined at the time of a personal data leak, it must be reported to the PIPC within 72 hours, and any additional confirmed details must be reported immediately upon confirmation. Failure to comply is also subject to fines of up to 30 million won.
Shinhan Card argues that the point at which it confirmed the personal data leak was the previous day. A Shinhan Card official said, "At the first assessment (on the 5th), it was uncertain whether a leak had occurred. We conducted an ongoing internal investigation after the 5th, recognized the leak on the 23rd, and reported it immediately."
The information siphoned by a Shinhan Card employee totals 192,088 items, including franchise representatives' mobile phone numbers, names, dates of birth, and gender: ▲ 181,585 mobile phone numbers ▲ 8,120 mobile phone numbers + names ▲ 2,310 mobile phone numbers + names + dates of birth + gender ▲ 73 mobile phone numbers + names + dates of birth.
Some say that 94% (181,585 items) of the 192,088 leaked items involved only mobile phone numbers and are difficult to regard as personal data. Personal data refers to information that can identify an individual, and a mobile phone number must be combined with other information to identify a person. The PIPC is investigating whether the leaked mobile phone numbers constitute personal data and whether there were violations of notification and reporting obligations.