Shinhan Card, one of South Korea’s largest credit card issuers, has reported a significant data breach that has potentially exposed the personal and business information of over 190,000 individuals. The company, headquartered in Seoul, indicated that the incident appears to be linked to actions taken by its employees rather than an external cyberattack. This breach raises serious concerns about the security measures in place at major financial institutions in the country.
On December 26, 2023, Shinhan Card’s CEO, Park Chang-hun, issued a formal apology regarding the breach. “We would like to express our deepest apologies,” he stated. “Upon discovering the incident, we immediately took measures to block any further leaks and completed a thorough review of our internal processes.” Furthermore, Park emphasized the company’s commitment to investigate the circumstances surrounding the breach and to enforce strict penalties on any employees found responsible.
The situation has garnered heightened scrutiny, especially in light of a series of security failures throughout the year. In late November, Coupang, South Korea’s leading online retailer, acknowledged that a massive data leak had compromised the names, email addresses, phone numbers, and delivery addresses of 33.7 million customers. The company may face fines of up to 3% of its revenue, potentially exceeding $800 million, based on its reported sales of approximately $28 billion in 2024.
Earlier in the year, SK Telecom experienced a cyberattack that breached its network, exposing sensitive information of around 23 million subscribers. As a consequence, the mobile operator was fined $92 million and faced restrictions on adding new customers for nearly two months, following government regulations.
In response to growing criticism about inadequate protections for customer data, South Korean Prime Minister Kim Min-seok announced plans to enhance penalties for companies that fail to safeguard personal information. “Urgent legislative tasks, such as the introduction of punitive administrative fines, will be swiftly advanced so that they can be passed as soon as possible,” Kim stated during a government meeting. He proposed introducing fines of up to 10% of a company’s total revenue for repeated violations and emphasized the need for stronger notification obligations regarding personal data breaches.
While the government has been vocal in holding private enterprises accountable for data leaks, critics point out that state-run organizations have not adequately protected their own data. Notably, in 2021, the Atomic Energy Research Institute, a government agency, was reportedly breached by a suspected North Korean group through a virtual private network server. Additionally, police discovered that North Korean hackers had stolen over 1 terabyte of data from the National Court Administration between June 2021 and January 2023. This compromised data included sensitive personal information.
Despite these alarming incidents, the South Korean government has shown reluctance to allocate additional funds for cybersecurity improvements. For instance, the Seoul administration cut the budget for integrated security control centers by nearly 30% for 2026 and reduced funding for security enhancements at government facilities by over 40%. This contrasts sharply with the overall national budget, which is projected to increase by 8.1% year-on-year for the same period.
Economic commentator Kim Kyeong-joon, formerly with Deloitte Consulting Korea, highlighted the disparities in accountability. “When hacking incidents occur, harsh penalties are imposed on private enterprises. For government agencies, however, it seemingly ends up with only a slap on the wrist,” he remarked. He further stressed the importance of strengthening the country’s cybersecurity infrastructure, particularly when breaches relate to national defense.
In light of the recent surge in cyber incidents, Park Tae-hwan, head of the AhnLab CyberSecurity Center, called for a more comprehensive approach to cybersecurity. “Regulations centered on bigger fines and punitive measures have come to the forefront, raising the burden on companies,” he explained. “A policy approach that provides incentives for companies with strong security practices is necessary to encourage greater voluntary investment in cybersecurity.”
As Shinhan Card navigates the fallout from this significant data breach, the broader implications for data security in South Korea remain a pressing concern for both consumers and businesses alike.
