Class Action Lawsuit Planned Against Shinhan Card Following Internal Leak of 190,000 Personal Data Records

Public concern and legal action are rapidly escalating following a large-scale personal data breach at Shinhan Card, as the incident was found to involve prolonged illegal activity by internal employees rather than an external cyberattack.

According to the credit card industry on December 26, Shinhan Card confirmed that employees at several of its sales offices unlawfully collected and leaked personal information of merchant representatives for the purpose of acquiring new card accounts. The data leakage reportedly occurred over a period spanning from March 2022 to May 2025, involving at least 12 employees across five sales offices.

The leaked information includes mobile phone numbers, names, dates of birth, and gender details of approximately 190,000 merchants. The company stated that highly sensitive data such as resident registration numbers, bank account details, or card numbers were not included. Investigations indicate that employees extracted the information by photographing internal data inquiry screens or manually transcribing the data.

Law firm Lofid has begun recruiting plaintiffs for a joint lawsuit on behalf of affected merchants and plans to seek compensation of 300,000 won per individual. The proposed amount is based on recent rulings by the Personal Information Dispute Mediation Committee related to the SK Telecom hacking case, compensation precedents involving Coupang, and past court decisions concerning data breaches at card companies.

The incident has intensified criticism amid concerns over Shinhan Card’s reduced investment in information security. According to the company’s sustainability management report, employee information security training hours declined by more than 12 percent year-on-year, while the proportion of the information security budget within the overall IT budget fell to 8.2 percent, dropping into the 8 percent range for the first time in three years.

The internal control committee established within the board of directors last year has also come under scrutiny. Despite holding seven meetings, the committee failed to prevent the large-scale data breach in advance, leading to assessments that it has not functioned effectively.

As the situation developed, financial authorities moved swiftly. The Financial Services Commission convened an emergency meeting to review the circumstances of the breach and assess the risk of further damage, while the Financial Supervisory Service announced plans to conduct an on-site inspection of Shinhan Card to examine its internal control and information security systems.

Meanwhile, experts advise merchants who may have been affected to check whether their data was leaked through Shinhan Card’s official website and to remain vigilant against voice phishing and smishing messages. They emphasize that financial institutions do not request app installations or account information via text messages and note that strengthening security settings, such as enabling two-factor authentication on financial applications, can significantly reduce potential risks.