South Korea Fines Lotte Card for Plaintext Logs in 2.97-Million-User Breach

Korean privacy authorities have imposed penalties on Lotte Card over a data breach tied to its online payment system, saying the company failed to encrypt resident registration numbers and did not adequately limit the processing of such data. The Personal Information Protection Commission (PIPC) announced fines totaling 9.62 billion won and an additional 480,000-won administrative penalty, along with corrective orders to tighten privacy practices and disclose the measures taken.

The investigation began after the Financial Supervisory Service (FSS) notified the PIPC in September last year about the incident. Officials found that the online payment system generated log files containing personal information, and about 2.97 million customers’ personal credit information was leaked. Of those, roughly 450,000 included resident registration numbers.

Korean regulators split their inquiry: the FSS focused on whether safety obligations under the Credit Information Act were violated, while the PIPC reviewed compliance with the Personal Information Protection Act in handling resident registration numbers. A PIPC official stressed that questions about overall safety measures for the entire breach are for the financial regulator to decide, while the data-protection agency assessed encryption and handling of the resident registration numbers specifically.

The PIPC found that Lotte Card processed resident registration numbers in plaintext within log files, exceeding what the law allows, and that encryption measures for those logs were insufficient. Under Korea’s privacy law, resident registration numbers may be processed only in narrowly defined circumstances, which the agency determined were not met in this case.

In addition to the fines, the PIPC ordered corrective actions to improve the company’s data-management practices. The agency called for a comprehensive review of Lotte Card’s handling of personal information, and for strengthening the accountability and independence of the company’s privacy officer.

For U.S. readers, the case highlights the importance of robust data protection in cross-border financial and fintech operations. It underscores why encryption of logs and data minimization are critical in online payments, given the potential consequences for consumer identity and financial risk. The decision also reflects how Korea’s dual regime—data protection and financial regulation—can shape penalties and governance reforms for large digital services operating in Korea.

Context: Lotte Card is a major South Korean credit card issuer. The resident registration number is a national ID used in many services in Korea. The Personal Information Protection Commission acts as Korea’s primary data privacy regulator, while the Financial Supervisory Service oversees financial institutions, including card issuers. The case illustrates how regulatory actions in Korea can directly influence corporate compliance and governance in the fintech and payments sector.