[Editorial] Even Franchise Owners' Information Exposed: Time to Shift the Security Paradigm

It has come to light that Shinhan Card Co., Ltd. suffered a leak of 190,000 cases of personal information belonging to franchise owners. Over a period of more than three years, from March 2022 to May this year, at least 12 employees from five or more field offices were reportedly involved. More than 180,000 mobile phone numbers, along with names and dates of birth, were indiscriminately leaked. This incident cannot be dismissed as a simple data breach. In reality, it constitutes systematic misconduct. The motives and methods behind the leak are even more alarming. The information was stolen to boost new card recruitment numbers. For personal gain, employees used a primitive method of photographing computer screens and sending the images to planners.
While the scale of this leak may seem less significant compared to previous incidents, the lessons it offers are clear. Reviewing this year's data breaches, it is evident that personal information is being leaked through various channels, including external hacking, insider crimes, and system vulnerabilities. In the case of Coupang, an insider transferred information to China, whereas at Shinhan Card Co., Ltd., the leak occurred at the business site level. This incident clearly demonstrates that data breaches are no longer limited to central server hacks or external intrusions. As leak channels become more diverse and layered, the traditional centralized security system is no longer sufficient to protect personal data. It is time for a fundamental shift in the security paradigm.
The Shinhan Card Co., Ltd. case, in particular, exposed significant security vulnerabilities at the field office level. Typically, efforts to strengthen security focus on central system management. However, no matter how robust the central system is, it is impossible to perfectly control information accessed by hundreds or thousands of business sites and tens of thousands of employees. Furthermore, the fact that employees under performance pressure can easily access and leak information highlights structural weaknesses. In our society, it is not uncommon for frontline employees to leak information for personal gain, even without customers’ consent for marketing purposes.
We have repeatedly emphasized the need for a fundamental change in the information security paradigm. Yet, the Shinhan Card Co., Ltd. incident presents another challenge for information security. It underscores the importance of refining access rights management. Employees should only be able to view the minimum information necessary for their work, and systems for real-time monitoring of access history must be strengthened.
Companies may worry that strengthening information security measures could hinder business operations. However, such lax management of personal data cannot be justified under the banner of managerial autonomy. As companies profit from business activities involving personal information, they cannot ignore the social damage caused by information leaks. Recognizing the seriousness of the situation, the financial authorities have decided to expand inspections across the entire card industry. Government agencies should use this incident as an opportunity to accelerate comprehensive inspections that cover not only central systems but also field offices.