Lotte Card breach: unencrypted logs expose 3 million cards; 9.62 billion won fine.

An investigation into last year’s data breach at Lotte Card has found that sensitive information was exposed after the company failed to properly encrypt logs from its online payment system. The breach, disclosed in August, affected about 2.97 million cardholders, with card numbers and expiration dates leaked, according to Korea’s privacy watchdog.

In addition to payment data, about 450,000 residents’ registration numbers were exposed. The Personal Information Protection Commission (PIPC) said Lotte Card had recorded a large amount of personal data, including resident registration numbers, in plain text within log files, and the encryption of those logs was deemed insufficient.

The watchdog also noted cultural and regulatory issues around how resident registration numbers are handled. A PIPC official said that even though the legal framework mandating careful use of resident registration numbers has existed for more than a decade, the practice remains overly permissive in some cases.

Regarding penalties, the PIPC fined Lotte Card 9.62 billion won and imposed an additional 4.8 million won in administrative sanctions. The calculation treated the online payment service as the relevant revenue base, rather than the company’s overall sales, in line with the agency’s guidance on fines for data-security violations.

There may be further consequences from financial regulators, as the enforcement process by Korea’s financial authorities is not yet complete. The final sanction could rise depending on additional findings and penalties from those authorities.

Lotte Card said it would respond through available appeals channels for any aspects where it believes the evidence did not reflect the situation, and it pledged to cooperate with regulators as the process continues.

Why this matters beyond Korea: for U.S. readers, the case underscores the growing importance of cybersecurity in fintech and consumer payments, including how sensitive personal data is stored and protected by partners and service providers. It highlights the cross-border implications of Korean data-protection enforcement for international vendors, card networks, and e-commerce platforms that rely on Korean payment rails. As U.S. companies increasingly operate in or partner with Korean financial services firms, these incidents can influence risk management, compliance costs, and how multinational firms structure data flows, encryption requirements, and incident response in Asia-Pacific markets.