South Korea Fines Lotte Card 9.62B Won, 4.8M Penalties for Data Breach

South Korea’s privacy regulator has ordered penalties against Lotte Card over a major data breach and its handling of sensitive information. The Personal Information Protection Commission (PIPC) decided on a 9.62 billion won fine and an additional 4.8 million won in administrative penalties, along with corrective orders aimed at improving the company’s privacy controls and public disclosure.

Lotte Card, a leading Korean credit card issuer, said it will pursue the available appeal procedures and would continue to explain its position as the process unfolds. The company apologized for the incident and said it would work to strengthen measures to prevent a recurrence.

The authorized investigation traces the incident to September, when the Financial Supervisory Service notified authorities about a leak. The breach occurred when Lotte Card’s online payment system was hacked, exposing personal data of about 2.97 million users. Of those, around 450,000 residents’ registration numbers were leaked as well.

The case hinges on Korea’s data-privacy and financial data laws. The Credit Information Act, which governs how personal credit information is processed, takes precedence over the Personal Information Protection Act for matters within its scope. Data not regulated by that act falls under the Privacy Act, meaning both statutes apply to crossing operations like credit checks and broader data handling.

Investigators found that Lotte Card stored several pieces of personal information, including resident registration numbers, in logs generated by online payment processes in plain text. Encryption of log files was deemed insufficient, and the practice of retaining such data in logs without proper safeguards contributed to the scale of the leak.

In addition to naming and shoring up security gaps, the PIPC ordered Lotte Card to publicly disclose the violation on its website and to conduct a comprehensive review of its privacy protection framework. The company pledged to cooperate with the investigation and to implement stronger safeguards to prevent future breaches.

For U.S. readers, the case highlights how Korea’s strict privacy and financial data rules are enforced and how penalties can be significant for fintech and payment firms operating in or serving Korean customers. It underscores the risk of cross-border data flows, the importance of encryption and controlled access for logs, and the potential regulatory costs for multinational tech and financial services providers that handle sensitive personal information. As U.S. firms increasingly rely on international data networks and 파이낸스 tech partners, Korea’s enforcement signals how data-security requirements can affect compliance, liability, and operations across markets.