South Korea Fines Lotte Card Over Data Breach, Privacy Violations
South Korea’s Personal Information Protection Commission announced sanctions against Lotte Card over a major data breach last year. The agency said the company will be fined 9.62 billion won and face a separate administrative penalty of 4.8 million won, after concluding Lotte Card violated privacy laws in processing customer data.
The regulator said about 2.97 million Lotte Card customers had personal information exposed in the Sept. breach, with roughly 450,000 of them having resident registration numbers leaked as well. The decision was made at a plenary session the day before the agency’s public announcement.
Investigators found that Lotte Card stored resident registration numbers in log files generated during online payment processing in plain text, and that encryption for those logs was insufficient. The privacy law in Korea restricts the processing of resident registration numbers to narrowly defined circumstances, and the audit said the company exceeded those limits.
Because the breach involved personal credit information, the case straddled two legal regimes: the Personal Information Protection Act and the Credit Information Act. Korea’s Credit Information Act imposes a cap on penalties for hacking-related losses, limiting fines to up to 5 billion won, a factor the agency noted in assessing the sanctions.
As part of the ruling, the Personal Information Protection Commission ordered Lotte Card to disclose the decision on its website and to take corrective actions to strengthen data security. The agency also announced it will conduct proactive checks in March of financial-sector operators to prevent a recurrence of similar practices.
For U.S. readers, the case illustrates how rising privacy enforcement in Korea intersects with global financial services and cross-border data flows. Korea’s financial sector is linked to international payment networks and technology providers, so stricter data-handling norms and enforcement can influence global partners’ cybersecurity practices, vendor risk, and regulatory expectations in the United States. The episode also underscores ongoing global emphasis on encryption, data minimization, and auditability in online payments.