South Korea fines Lotte Card for privacy breach affecting nearly 3 million customers
Korea’s Personal Information Protection Commission (PIPC) announced penalties against Lotte Card after a hacking incident exposed the personal data of about 2.97 million customers, including 450,000 whose resident registration numbers were leaked. The agency said the breach stemmed from Lotte Card’s online payment system, where log files recorded personal information in plaintext.
The PIPC imposed a 9.62 billion won penalty and an additional 4.8 million won in administrative fines for violations of the Personal Information Protection Act, which generally prohibits collecting or processing resident registration numbers except under specific, tightly regulated circumstances and requires encryption. The commission found that Lotte Card did not encrypt the data adequately.
Investigators also faulted the company for how it handled log data, noting that logs should minimize the amount of personal information recorded. The agency said storing resident registration numbers and other sensitive data in logs without sufficient encryption contributed to the scale of the leakage.
As part of the action, the PIPC ordered Lotte Card to disclose the disposition on its website and to implement corrective measures to reinforce privacy protections. The agency also signaled that it would broaden its review of privacy practices across Korea’s financial sector beyond the area of personal credit information currently overseen by financial regulators.
The incident first came to light when Lotte Card notified authorities in September last year. Initial disclosures estimated the leak at about 1.7 gigabytes, but subsequent investigations determined the data affected were closer to 200 gigabytes. The PIPC’s probe extended beyond the financial authority’s remit to assess broader privacy-law violations tied to the case.
For international readers, the case underscores Korea’s strict approach to privacy in the financial sector and the consequences for noncompliance. It highlights the importance of encryption, data minimization, and careful log management in a landscape where multinational firms, fintechs, and partners handling Korean customer data must navigate local rules and cross-border data transfer considerations. The measures against Lotte Card illustrate how penalties and public disclosure can accompany audits aimed at strengthening trust in digital payments and personal data protection.