South Korea Fines Lotte Card for Data Breach Affecting 2.97 Million Customers

South Korea’s privacy watchdog announced sizable penalties against Lotte Card on March 12 for a data breach that affected about 2.97 million customers, including 450,000 whose resident registration numbers were exposed. The Korea Personal Information Protection Commission (PIPC) levied 9.62 billion won in fines plus 4.8 million won in an administrative penalty.

The decision followed the commission’s 4th plenary meeting on March 11. The breach stemmed from a hack of Lotte Card’s online payment system, where log files recorded users’ personal information in plaintext. The investigation found that the company processed resident registration numbers without a legal basis and did not adequately encrypt the log data.

Officials said log files, which record system and network activity, should contain only minimal personal information and must be protected with proper encryption. Lotte Card’s handling of sensitive data in logs was deemed outside the legally permitted scope and insufficiently secured.

As part of the punishment, the commission required Lotte Card to disclose the disposition on its corporate website and to undertake comprehensive improvements to its privacy practices. The order also called for strengthening the role and independence of the company’s Chief Privacy Officer and tightening overall data-protection governance.

The government also plans a proactive, industry-wide check in March to assess whether financial-sector operators process resident registration numbers without a valid basis or engage in unnecessary handling of such data. The aim is to curb routine use of highly sensitive identifiers.

For U.S. readers, the case highlights the growing emphasis in Korea on data privacy enforcement for large financial services and the potential cross-border implications for American firms. It underscores the risk of exposing highly sensitive identifiers through operational logs and the importance of data minimization, encryption, and clear lawful bases for processing personal data in digital payments and fintech ecosystems. It also signals that Korean regulators are intensifying governance over how personal data is managed in financial services, with penalties and public disclosures as part of enforcement. The incident began after the Financial Supervisory Service notified the commission on Sept. 22 of last year, triggering the formal investigation.