South Korea Fines Lotte Card 9.62 Billion Won for Online Payment Privacy Breach

Seoul’s Personal Information Protection Commission has ordered Lotte Card to pay a total of 9.62 billion won in penalties and an additional 4.8 million won in administrative fines after finding a breach of privacy rules linked to its online payment system.

The watchdog said the log files generated during online transactions recorded multiple personal data items, including 13-digit resident registration numbers, in plaintext. In the breach, about 2.97 million users’ personal credit information was exposed, of which roughly 450,000 resident registration numbers were leaked.

The investigation began after the Financial Supervisory Service notified the Personal Information Protection Commission in September last year about a leak of personal credit information at Lotte Card.

As part of the decision, the Privacy Commission ordered Lotte Card to publish the disposition on its website and to overhaul its privacy protections, including strengthening the independence and effectiveness of its privacy officer and overall governance.

The commission characterized the incident as a “very serious violation” of security principles, which explains the severity of the penalties. The amount, however, is lower than the record fines seen in other sectors, such as SK Telecom’s 134.8 billion won, because this case focused specifically on the handling and encryption of resident registration numbers rather than broader security measures.

The ruling reflects a split in Korea’s enforcement framework: personal credit information handling falls under the Credit Information Use and Protection Act, while protection of resident registration numbers is governed by the Personal Information Protection Act. The penalties cited are based on the pre-amendment rules in force at the time of the offense; a recently enacted privacy law allows penalties up to 10% of annual sales, but that higher rate applies to violations occurring after the law’s effective date.

Officials say the case will prompt broader scrutiny of how financial-sector companies store and process resident registration numbers. The Privacy Commission plans to conduct preemptive checks of financial firms to ensure such data are not kept or processed unnecessarily, while the Financial Supervisory Service continues its separate investigation, which could lead to further sanctions.