Woori Card has been fined approximately 13.4 billion won for using the personal information of over 74,000 franchise owners for marketing without obtaining consent.
The Personal Information Protection Commission noted on the 27th that it approved a penalty surcharge and corrective orders against Woori Card for violations of the Personal Information Protection Act at a full meeting the previous day.
The Personal Information Protection Commission launched an investigation in April last year following a report that "the personal information of the representatives (franchise owners) of Woori Card's franchisees is being used for new card recruitment" along with a report from Woori Card.
The investigation found that the Incheon sales center of Woori Card, from July 2022 to April last year, entered the business registration numbers of card franchisees into the franchise management program to improve sales performance, retrieving personal information such as the names, resident registration numbers, mobile phone numbers, and addresses of at least 131,862 franchise owners.
Additionally, the card issuance review program entered the resident registration numbers of franchise owners to check if the corresponding franchise owner held a credit card issued by Woori Card (Woori Credit Card), and recorded this information on franchise documents, sharing it in a KakaoTalk group chat with card recruiters and others.
In particular, starting in September last year, the personal information of franchise owners and card members was queried through commands in the databases managing their information, creating personal information files after checking franchise owners' personal information and whether they held Woori Credit Cards.
Between January and April last year, personal information of 75,676 franchise owners was transmitted to card recruiters via email more than twice a day, totaling 100 times.
The Incheon sales center of Woori Card accessed information of at least 207,538 franchise owners and provided this data to card recruiters, which was used for marketing aimed at issuing Woori Credit Cards.
Among those included, 74,692 franchise owners were found to have not consented to the use of their personal information for marketing. The Personal Information Protection Commission determined that this violated regulations that prohibit exceeding the scope of use of personal information under the Personal Information Protection Act and breached the restriction on processing resident registration numbers.
Moreover, Woori Card's delegation of authority over databases, file downloads, and the access to personal information including resident registration numbers revealed negligence in internal controls such as monitoring access rights and checking access records.
Accordingly, the Personal Information Protection Commission imposed a penalty surcharge of approximately 13.451 billion won on Woori Card for using the franchise owners' personal information for purposes other than intended.
In addition, it ordered Woori Card to strengthen internal controls to prevent misuse of personal information, minimize and check access rights, comply with safety measures, and to enhance management and supervision of those handling personal information, while also requiring the company to publish the disposition on its website.
Kim Hae-sook, head of the investigation division at the Personal Information Protection Commission, explained in a briefing, "We confirmed it as an issue with the Incheon sales center, but determined it was a problem encompassing all of Woori Card due to negligence in internal controls and lack of checks or inspections from headquarters." She added, "Although Woori Card requested consideration claiming this was an issue that occurred only in some sales centers, it was not accepted."