South Korea fines Lotte Card 9.62 billion won over major data breach
Korean authorities have fined Lotte Card, one of the country’s major credit card issuers, for a large-scale data breach that occurred last year. The Personal Information Protection Commission (PIPC) imposed a total administrative fine of 9.62 billion won and an additional 480,000 won in penalties after a plenary session of the agency.
The commission said the breach stemmed from violations of privacy laws tied to online payments. It found that Lotte Card processed resident registration numbers beyond what the law allows and did not sufficiently encrypt files related to online payments, leaving sensitive data vulnerable.
Investigators also determined that the company stored multiple personal data, including resident numbers, without proper review. That lax data-handling practice, according to the PIPC, contributed to the scale of the leak when the breach occurred.
In response, the PIPC announced that it would publish the enforcement action on its website and ordered Lotte Card to conduct an overall review of its privacy handling and implement improvements across the board.
The incident dates back to last August, when Lotte Card disclosed that a server hack affected about 2.97 million customers and resulted in the exposure of roughly 200 gigabytes of data. The company issued a public apology at the time.
Why this matters beyond Korea: the ruling underscores ongoing nationwide scrutiny of data security in fintech and digital payments, a concern shared by U.S. banks, networks, and tech partners as cross-border data flows and international trust depend on robust privacy protections. The case signals that even large, established firms can face substantial penalties for data handling weaknesses, potentially influencing how multinational partners assess risk, vendor governance, and data-minimization practices when operating in Korea or with Korean customers.
For U.S. readers, the development highlights the global push toward stronger encryption, tighter data controls, and clearer boundaries on what data can be stored or processed, especially in payment-related platforms. As U.S. financial institutions expand their overseas exposure and fintech ecosystems rely on Korean services, regulatory actions like this can shape compliance costs, cyber risk assessments, and the speed at which firms deploy new payment technologies in international markets.