South Korea Fines Lotte Card for Data Breach Affecting 2.97 Million People

South Korea’s privacy regulator announced a sanctions package against Lotte Card over a data breach that exposed personal information from about 2.97 million people, including 450,000 resident registration numbers. The Personal Information Protection Commission (PIPC) said the breach resulted from how the online payment system logged data, with personal information stored in plaintext and insufficient encryption.

The commission’s full meeting on March 11 concluded with a civil penalty of 9.62 billion won and an additional 4.8 million won in fines related to violations of the Personal Information Protection Act. These penalties are separate from sanctions that may be imposed by financial authorities under the Credit Information Use and Protection Act, which could carry a maximum penalty of 5 billion won. Financial regulators’ actions under that separate framework had not been announced in this release.

Investigators found that Lotte Card logged personal data in its online payment system logs, including resident registration numbers, without adequate review or data-minimization controls. The logs contained multiple instances of sensitive information in plain text, rather than being encrypted or stripped to the minimum necessary data.

As part of corrective action, the PIPC ordered Lotte Card to strengthen its privacy governance, including the responsibilities and independence of the company’s chief privacy officer (CPO), and to overhaul its privacy protection framework overall. The agency emphasized that the company must align practices with privacy laws and improve internal oversight of data handling.

The PIPC also said it would conduct March inspections of financial-sector operators to assess whether firms are still treating resident registration numbers as routinely usable data. The watchdog urged industry players to maintain heightened vigilance, regularly review data processing activities, and ensure compliance with privacy principles.

For readers outside Korea, the case highlights how the country’s privacy regime treats personal data entrusted to financial services and fintech firms. Lotte Card’s breach underscores the risks of logging sensitive information in plaintext and the importance of data minimization, encryption, and robust governance in digital payments. The decision signals stronger enforcement in Korea and may influence multinational firms operating in Korea or handling Korean customer data, with implications for cross-border data flows, compliance costs, and privacy-focused risk management.