20,000 ShinHyup Customer Records 'Leaked Externally'... Institution Warning and 2.8 Billion KRW Fine Imposed
Financial Supervisory Service Decides Sanctions Following Inspection of ShinHyup Central Association... Imposes Fine of 113.6 Million KRW
Failure to Notify Victims and FSS of Violations After Incident Confirmed
Inadequate Credit Information System and Network Separation Rule Violations
Sanctions Including Dismissal, Suspension, Reprimand, and Pay Cut Imposed on Six Current and Former Employees
Violations of Collective Investment Securities and Beneficiary Securities Purchase Regulations Also Found
The National Credit Union Federation of Korea (NACUFOK) was sanctioned with a warning, a fine of 2.872 billion KRW, and a penalty of 113.6 million KRW for violating related regulations by failing to report to the affected parties and the Financial Supervisory Service (FSS) after confirming that an employee leaked 18,465 cases of personal credit information for purposes other than work. It was also revealed that the federation did not properly implement security measures for the credit information computer system and violated hacking prevention measures related to network separation, which requires separating internal and external networks. Additionally, NACUFOK violated the Credit Union Act while managing the repayment reserve fund.
According to the FSS on the 13th, the Small and Medium Finance Inspection Division 2 confirmed that in January 2019, employee A of NACUFOK, while working at a regional headquarters, sent 18,465 cases of personal credit information (including member names, loan account numbers, loan amounts, etc.) via email 60 times to B Credit Union for reference in audit work. The employee was scheduled to transfer to B Credit Union as an auditor after resignation. The Act on the Use and Protection of Credit Information prohibits credit information companies and others from disclosing or using others' credit information and personal secrets obtained through work for purposes other than work.
The FSS also confirmed that NACUFOK did not notify the affected credit information subjects or the FSS of the violation after confirming employee A’s legal breach. The Credit Information Act requires that when it is known that personal credit information has been leaked for non-work purposes, the affected individuals must be notified without delay, and if more than 10,000 cases are leaked, a leakage report must be submitted to the FSS immediately.
An FSS official explained, "NACUFOK confirmed the leakage of 18,465 cases of personal credit information through internal audits and external legal reviews but neither notified the affected parties nor submitted a leakage report to the FSS." Two law firms involved in the internal legal review also judged the leakage incident as a violation of the law.
Deficiencies in the credit information computer system were also identified. The Credit Information Act and related regulations require credit information providers and users to establish and implement technical, physical, and managerial security measures to protect the credit information computer system, but NACUFOK failed to properly implement these measures from the time of the leakage incident until December 2021.
The inspection revealed that NACUFOK stored customers’ and employees’ personal credit information in plaintext on internal work terminals (PCs) without encryption, and sent stored personal credit information via email within the federation’s groupware to individual credit unions (external corporations) without establishing prior approval procedures, resulting in no prior approval from the management responsible.
The credit information manager also failed to conduct regular investigations, improvements, and establish internal control procedures regarding the encryption of personal credit information and control of external data transfers, as well as the handling practices of personal credit information at the federation. Furthermore, when sending electronic data to individual credit unions (external corporations) via email within the federation’s groupware, no approval or confirmation procedures by the management responsible were followed.
An FSS official pointed out, "Due to system deficiencies, the employee who was about to resign improperly leaked audit reports and complaint investigation documents containing personal credit information for non-work purposes, but this was not detected or blocked in advance."
It was also revealed that NACUFOK failed to properly separate internal and external networks to prevent hacking, as required by the Electronic Financial Transactions Act and related regulations. From August 2019 to April 2022, during the inspection period, NACUFOK allowed all employees’ internal network PCs to access 36 external internet sites for work convenience without conducting risk assessments or obtaining approval from the internal information protection committee. For cost savings and management convenience, internal and external network tasks were not separated.
Meanwhile, the FSS also uncovered that NACUFOK violated regulations on purchasing collective investment securities and beneficiary certificates. The Credit Union Act limits the proportion of listed stocks included in collective investment securities or beneficiary certificates purchased with repayment reserves to 30% or less.
Hot Picks Today
Up to 600 Million Won for Semiconductors, 160 Million Won Bonus for Loss-Making Non-Memory… Samsung Electronics Labor and Management Reach Tentative Deal on Unprecedented Performance Compensation (Comprehensive)
- "Could I Also Receive 370 Billion Won?"... No Limit on 'Stock Manipulation Whistleblower Rewards' Starting the 26th
- "From a 70 Million Won Loss to a 350 Million Won Profit with Samsung and SK hynix"... 'Stock Jackpot' Grandfather Gains Attention
- [Current State of K-Finance for Foreign Nationals]①From Niche to Core... Banks Go All-In on First-Mover Competition
- "Who Is Visiting Japan These Days?" The Once-Crowded Tourist Spots Empty Out... What's Happening?
An FSS official explained, "NACUFOK purchased and held professional investor-type private equity investment trusts with a listed stock inclusion ratio of up to 40% using repayment reserves. Among these, one professional investor-type private equity investment trust exceeded the 30% limit by up to 1.57 percentage points (P)." In addition to institutional sanctions, the FSS decided on disciplinary actions such as dismissal, suspension, reprimand, pay reduction, and warnings against six current and former employees who violated the Credit Information Act, Electronic Financial Transactions Act, and other related regulations.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
