Industry - Enforcement
Executive Summary
South Korea's Personal Information Protection Commission fined Lotte Card 9.62 billion won ($6.51 million) after a hacking incident exposed personal data of 2.97 million customers, including resident registration numbers of 450,000 people. The breach occurred because Lotte Card stored registration numbers in plain text in log files from its online payment system and failed to implement proper encryption, violating data protection laws. The Financial Supervisory Service also imposed a separate...
What Happened
In September 2025, hackers breached Lotte Card's online payment system in South Korea, exposing personal credit information of approximately 2.97 million customers. The breach included resident registration numbers (similar to social security numbers) for around 450,000 people. Investigators discovered that Lotte Card had illegally stored these registration numbers in plain text within log files and failed to implement adequate encryption measures, violating South Korea's Personal Information Protection Act.
Who Is Affected
Approximately 2.97 million Lotte Card customers in South Korea had their personal credit information exposed, with 450,000 of these individuals having their resident registration numbers compromised. Resident registration numbers are sensitive government-issued identifiers used across financial and administrative systems in South Korea, making affected individuals vulnerable to identity theft and financial fraud. The breach primarily impacts South Korean residents who used Lotte Card's payment services.
Why It Matters
This enforcement action demonstrates increasingly strict accountability for inadequate data protection practices, with South Korea's regulators imposing combined penalties exceeding $9.8 million and a potential 4.5-month business suspension. The severity reflects a 50% increase over penalties for a similar 2014 Lotte Card breach, signaling that repeat violations will face escalating consequences. The case establishes precedent that storing sensitive identification numbers in unencrypted plain text constitutes a serious regulatory violation warranting substantial financial and operational penalties, potentially threatening a company's viability.
What You Should Do
Affected Lotte Card customers should immediately monitor their financial accounts and credit reports for unauthorized activity or new accounts opened in their name. Those whose resident registration numbers were exposed should contact South Korean financial institutions to place fraud alerts and consider freezing credit where possible. Customers should change passwords for any accounts that used their Lotte Card credentials and enable two-factor authentication on financial services. Contact Lotte Card directly to understand what specific information was compromised in your case and what remediation or monitoring services they are providing to affected customers.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.