South Korea fines Lotte Card after data breach exposed resident registration numbers
The Korea Personal Information Protection Commission announced on Sept. 12, 2025 that it had fined Lotte Card Co. Ltd. for violating the Personal Information Protection Act after a data breach that exposed resident registration numbers. The penalties total 9.62 billion won in fines and an additional 4.8 million won in an administrative charge. The decision followed a notification to the regulator by the Financial Supervisory Service in September of the previous year.
Investigators found that a hack targeting Lotte Card’s online payment system allowed the leakage of data from log files. About 2.97 million users’ credit information and roughly 450,000 residents’ registration numbers were recorded in those logs. Logs are supposed to minimize the personal data kept and to be reviewed, but Lotte Card reportedly logged sensitive information without adequate review, and encryption of the log files was deemed insufficient.
The Privacy Commission concluded that the manner in which logs were handled contributed to the scale of the breach and criticized the company for weak privacy safeguards. It said that personal data, including resident numbers, were recorded in online payment logs without proper processing or adequate protection.
Beyond the penalties, the regulator ordered Lotte Card to overhaul its data-handling practices, strengthen the responsibilities and independence of its privacy officer, and fortify its overall privacy governance. The commission also announced plans to conduct preemptive checks on how financial sector firms handle resident registration numbers.
Lotte Card said it voluntarily disclosed the incident and cooperated with the investigation, adding that it would pursue additional explanations through formal channels after receiving the decision.
For international readers, this case highlights how Korea’s strict data-protection regime enforces concrete consequences for mishandling sensitive identifiers such as resident registration numbers. The incident underscores the importance of data minimization, robust logging controls, and strong encryption in digital payment infrastructures—issues that are highly relevant to U.S. financial firms and partners operating in Korea or relying on Korean payment networks and cross-border data flows. It also signals how cross-border privacy enforcement can influence cybersecurity practices, regulatory compliance costs, and consumer trust in digital payments and financial services.