South Korea Fines Lotte Card 9.62 Billion Won for Data Breach, Privacy Violations

The Personal Information Protection Commission (PIPC) announced on January 12, 2026, after its fourth plenary meeting for the year, that it had imposed a 9.62 billion won penalty on Lotte Card for violations of Korea’s privacy laws. It also levied an additional 4.8 million won in administrative penalties and ordered corrective actions and public disclosure.

The ruling follows an investigation prompted by a report from the Financial Supervisory Service in September, which identified a data-leak incident at Lotte Card. Investigators found that an online payment system was hacked, exposing the personal information of 2.97 million users, and that 450,000 resident registration numbers were leaked.

The commission said the breach was linked to Lotte Card recording substantial amounts of personal data in log files in plain text and failing to encrypt those log files adequately. It also found that the company processed resident registration numbers beyond what Korea’s privacy law permits.

Korea’s Personal Information Protection Act restricts the processing of resident registration numbers to narrowly defined circumstances, such as legal requirements or urgent life, safety, or property interests. The act also requires logs to record only the minimum necessary information, and the PIPC said Lotte Card stored more personal data in logs without proper review.

In addition to the monetary penalties, the PIPC issued compliance orders and a publication order. The commission noted the case raises questions about whether financial-sector operators habitually process resident registration numbers without a valid basis, and it plans a preemptive check of such practices in the sector this month.

Why this matters beyond Korea: The decision signals heightened regulatory scrutiny of data handling in fintech and payments, with implications for U.S.-based or multinational firms that operate in Korea or partner with Korean institutions. It underscores the importance of encrypting log data, limiting the collection and retention of sensitive identifiers, and aligning data practices with statutory restrictions, especially for cross-border operations and technology vendors.

Context for non-Korean readers: The PIPC is Korea’s independent privacy regulator responsible for enforcing the Personal Information Protection Act. A resident registration number is a 13-digit national ID used in Korea for identity verification. The Financial Supervisory Service oversees financial institutions. The Lotte Card case illustrates how breaches can involve both online payment systems and internal data-management practices, and it highlights evolving privacy enforcement that can affect international vendors and data flows relating to Korean consumers.