주메뉴바로가기본문바로가기
비즈한국 비즈한국

Woori Bank Faces Controversy Over Personal Data Leak via Third-Party Vendor

This article was automatically translated by AI. There may be errors compared to the original Korean article.  Read original in Korean →

[비즈한국] Woori Bank has been embroiled in a controversy regarding the leakage of customer personal information. The breach occurred at an outsourced firm that handled personal information for Woori Bank's Non-Fungible Token (NFT) platform construction project. The incident resulted in the exposure of Connecting Information (CI) for 17,551 Woori Bank customers. Although the leak did not originate from within the bank, the fact that it occurred at a partner company entrusted with sensitive data makes it difficult for Woori Bank to avoid criticism regarding its personal information management and supervision responsibilities.

Woori Bank became aware on June 30 that a personal data breach had occurred through an external firm that was in charge of its NFT platform construction project. Photo=Reporter Lim Jun-seon

On the 3rd, it was revealed that the personal information of 17,551 Woori Bank customers had been leaked. The affected individuals are customers who consented to providing personal information on the Woori Bank NFT platform service. The leaked data consists of nicknames and Connecting Information (CI) within the NFT platform service; information such as names, resident registration numbers, and addresses were not included. CI is a personal identification value generated by identity verification agencies based on data like resident registration numbers, and it is used to confirm whether a user is the same across various online services.

The breach was caused by an employee of Blocko, a sub-contractor that handled Woori Bank's NFT platform construction project in 2024. Despite the project having concluded, a Blocko employee who had been keeping the personal information files without authorization posted a link to the data on a developer platform in September 2025.

Woori Bank and Blocko began taking measures, such as reporting to the Personal Information Protection Commission and blocking the link to the personal information file, after realizing the situation on June 30. Blocko posted an announcement and an apology regarding the data leak on its website on the 3rd. Blocko explained, "As a sub-contractor that carried out the Woori Bank NFT platform construction project from September 2024 to February 2025, we processed the personal information of service users," adding, "In September 2025, due to negligence by our employee, a file link containing user nicknames and CI was leaked."

CI is an encrypted value of a resident registration number used to identify individuals online and is often called an 'online resident registration number.' While CI cannot be used alone to identify a specific individual or be converted back into a resident registration number, it can be misused if combined with other identifiable information that has already been leaked.

Woori Bank has notified the affected customers individually about the incident. Woori Bank stated, "To prevent harm, please be cautious of calls from unknown sources or clicking on URL links in text messages," adding, "If any damages occur due to this leak, we will provide compensation after verification." According to the bank, no cases of misuse resulting from this leak have been confirmed to date.

The nicknames and Connecting Information (CI) of 17,551 customers who used Woori Bank's NFT platform service were leaked. Photo=Provided by Woori Bank

Although the incident did not occur within the bank, the potential for customer harm has made it difficult for Woori Bank to escape accountability. In particular, it is pointed out that personal information handed over to external firms remains in a blind spot for management and supervision. Another issue is that Woori Bank and Blocko only became aware of the breach more than nine months after it occurred. Financial authorities, upon receiving the report, reportedly requested that Woori Bank conduct an internal audit regarding the incident.

Woori Bank explained that it implements multi-stage security management measures when pursuing projects with external firms. At the start of a project, the bank receives a security pledge from the external firm stating that project information will not be used arbitrarily or leaked. During project execution, the bank's information security department conducts monthly security training for the external firm's employees involved in the project. After the project concludes, the bank collects a withdrawal confirmation from the external firm, and all computer equipment used by them is collected and wiped clean.

While Woori Bank and Blocko emphasized that "the leaked information does not include member IDs or login credentials, and CI alone cannot identify a specific individual," user anxiety is growing as personal information leaks have been occurring across all industries recently. In particular, as a large-scale breach occurred in June involving the sensitive data of over 19 million TVING users—including names, birth dates, contact info, IDs, and emails, along with CI—the possibility of this information being linked to Woori Bank data for malicious purposes cannot be ruled out.

Following the incident, Woori Bank stated through a notification, "We will use this leak as an opportunity to conduct a full investigation into the personal information management status of our development partners and rectify any deficiencies."

Meanwhile, as customer CI leakage incidents continue to occur at domestic companies, there is a growing movement to stop unnecessary CI collection and demand its deletion. Groups including the Digital Justice Network, the Digital Information Committee of Lawyers for a Democratic Society, the Institute for Digital Rights, and People's Solidarity for Participatory Democracy argued in a campaign this past June that "companies treat CI as essential information, but CI is by no means necessary for service provision," claiming that "domestic companies only collect it for their own convenience."

They demanded countermeasures, stating, "It is difficult to predict what kind of damage will arise from large-scale CI leaks. Companies should delete or suspend the CI of those affected by leaks," and "The government should investigate the reality of CI collection and subsequent leaks by companies, and ensure that those who wish to change their CI can do so."

This article was automatically translated by AI. There may be errors compared to the original Korean article.
심지영 기자
jyshim@bizhankook.com
저작권자 ⓒ 비즈한국 무단전재 및 재배포 금지