Korea's PIPC fines Lotte Card for data breach affecting nearly 3 million customers

South Korea’s Personal Information Protection Commission (PIPC) announced sanctions against Lotte Card after a data breach last year affected nearly 3 million customers. The commission said the online payment system was hacked in September, exposing personal information stored in logs connected to online payments.

Of the affected customers, about 450,000 had their resident registration numbers leaked, according to the investigation conducted by the PIPC. The agency found that Lotte Card recorded extensive personal data in plaintext in logs linked to online payments, exceeding what the law allows.

The PIPC ordered a punitive financial penalty of 9.62 billion won and an additional administrative fine of 4.8 million won. The decision underscores Korea’s tolerance for strict enforcement when consumer data protection rules are violated.

The case highlights how Korea’s privacy regime is applied to financial-technology firms. Lotte Card operates as a major credit card issuer in Korea and is part of the Lotte Group, a large conglomerate with interests across retail, hospitality and finance.

For international readers, the decision signals how Korean regulators are prioritizing data security in fintech, an area with growing cross-border ties in technology and payments. U.S.-based firms and investors engaged with Korean fintech partners may increasingly encounter rigorous privacy requirements and heightened scrutiny of how consumer data is stored and logged.

This action also reflects broader efforts under Korea’s Personal Information Protection Act to limit data kept in logs and to ensure that only authorized, encrypted data is retained. It serves as a cautionary example for other service providers handling sensitive financial information in Korea.

Lotte Card has not indicated new details of remedial steps, but the PIPC’s decision reinforces ongoing regulatory expectations for robust data protection practices in Korea’s fast-evolving digital payments landscape.