South Korea Fines Lotte Card for Data Breach, Plans March Financial Sector Pre-Inspection
South Korea’s privacy regulator and financial watchdog have announced penalties against Lotte Card over a large data breach tied to its online payment system, and they signaled a broader push to tighten privacy compliance in the financial sector with a planned March pre-inspection of sector operators.
The incident affected about 2.97 million users whose personal information was exposed, with 450,000 people having their resident registration numbers leaked. Lotte Card’s online payment system was hacked, and log files containing sensitive data were stored in plaintext, a key factor in the scale of the breach.
Two regulators led the response. The Personal Information Protection Commission concluded that Lotte Card processed resident registration numbers without a legal basis and failed to encrypt log data adequately, in violation of Korea’s privacy law. Separately, the Financial Supervisory Service assessed potential violations of the Credit Information Use and Protection Act related to how the company handled credit information.
In line with its findings, the Personal Information Protection Commission ordered corrective actions and a public disclosure of the enforcement, and issued penalties totaling about 9.62 billion won in fines plus a 480 million won administrative fine. The agency said Lotte Card must strengthen its overall privacy governance, including the accountability and independence of its chief privacy officer, and overhaul its data protection framework.
Lotte Card, a major card issuer owned by the Lotte Group, faced immediate reputational and regulatory consequences. The regulatory timeline noted that the incident was flagged after the Financial Supervisory Service informed the regulators on September 22 of last year, with the Personal Information Protection Commission announcing the sanctions at its plenary meeting on September 11 and the related measures on September 12.
For U.S. readers, the case highlights how Korea enforces data privacy in its financial sector and the potential implications for international firms operating there. Strong penalties and new governance requirements illustrate Korea’s emphasis on protecting consumer data, with broader relevance to cross-border data flows, compliance for global payment networks, and the security standards that U.S. partners and customers may expect when dealing with Korean financial services. The forthcoming March pre-inspection aims to broaden scrutiny across financial-sector operators, signaling that compliance will remain a priority beyond this incident.
Background for non-Korean readers: Lotte Card is part of the Lotte Group, one of South Korea’s largest family-controlled conglomerates. The Korean system distinguishes between general privacy law under the Personal Information Protection Act and sector-specific rules under the Credit Information Use and Protection Act, with the Financial Supervisory Service supervising financial institutions. Resident registration numbers are a highly sensitive national identifier in Korea, and processing them without a legal basis is a central issue in this case.