South Korea Fines Lotte Card 9.62B Won Over Data Breach, Orders Privacy Overhaul

South Korea’s Personal Information Protection Commission has levied penalties against Lotte Card for violations of privacy laws stemming from a data breach in its online simple payment system. The agency announced a total of 9.62 billion won in fines, plus a 480-won administrative penalty, and ordered corrective actions and public disclosure of the decision on the company’s site.

Investigators found that the online payment platform was hacked and that logs stored in the system contained sensitive data. About 2.97 million users’ personal credit information was exposed, and roughly 450,000 resident registration numbers were leaked as part of the breach. The findings center on how data was logged and protected within the payment system.

The investigation began after the Financial Supervisory Service notified the Personal Information Protection Commission on September 22 of last year about the leak. Korean authorities split the enforcement responsibilities: the handling of personal credit information falls under the Act on the Use and Protection of Credit Information, while other personal data protection is governed by the Personal Information Protection Act.

The commission concluded that Lotte Card stored resident registration numbers and other personal data in plaintext in logs related to online payments, well beyond what the law permits. It also found that encryption of the log files was insufficient. Officials attributed the scale of the leakage in part to this logging practice, which exposed sensitive data during a cyberattack.

In addition to the fines and public disclosure, the PIPC ordered Lotte Card to overhaul its privacy management framework. The company was directed to strengthen privacy governance, specifically by reinforcing the role and independence of its chief privacy officer and to undertake a broad reform of its data protection practices.

The agency said it will use this incident as a pretext to broaden its scrutiny of how the financial sector handles resident registration numbers. This month, it plans to conduct on-site checks with financial sector operators to assess whether RRNs are being processed legally and whether such handling is unnecessary.

Why this matters for U.S. readers: the case illustrates how South Korea is enforcing data privacy in its fast-growing fintech and payments sectors, with significant penalties and mandatory governance reforms. For American companies and investors, it underscores the global risk of data breaches involving cross-border financial data, the importance of secure logging practices, and the potential regulatory impact on partnerships, supply chains, and compliance costs in a highly digital economy. As U.S. and Korean firms increasingly collaborate on fintech services, Korea’s robust privacy regime can influence data-handling standards, contract terms, and risk management across Asia-Pacific markets.