South Korea’s data protection regulator has fined Lotte Card, a credit card provider based in Seoul, 9.6 billion won, about $6.5 million, after a cyberattack exposed personal information belonging to millions of customers.
The penalty was issued by the Personal Information Protection Commission, the country’s national privacy regulator responsible for enforcing data protection laws. The commission concluded that Lotte Card violated the Personal Information Protection Act by failing to adequately protect sensitive customer data.
The investigation found that hackers breached the company’s online payment system and accessed log files containing personal credit information belonging to about 2.97 million users. Among the exposed records were resident registration numbers for roughly 450,000 customers. These numbers serve as a core national identification system in South Korea and are considered highly sensitive personal data.
Regulators said the breach occurred because personal information was stored improperly in system logs. According to the commission, Lotte Card recorded multiple types of personal data, including resident registration numbers, in plain text within log files connected to online payment processes. Investigators also determined that encryption protections for these logs were insufficient.
South Korean law restricts the use and storage of resident registration numbers. Organizations are allowed to process such identifiers only in limited circumstances and must apply strict safeguards when handling them. The commission concluded that Lotte Card processed the identifiers beyond the scope permitted under the law.
In addition to the financial penalty, the regulator ordered Lotte Card to strengthen its data protection practices. The company must review how personal information is handled within its systems and improve security controls related to sensitive data processing. Authorities also instructed the firm to disclose details about the incident on its website to inform affected customers.
The investigation began after South Korea’s Financial Supervisory Service reported the breach to the Personal Information Protection Commission in September of the previous year. Authorities then conducted a joint public and private sector inquiry to determine how the attack occurred and whether the company had complied with privacy regulations.
Officials said the case will lead to broader inspections within the financial sector. The commission plans to examine whether other financial institutions are processing resident registration numbers without a clear legal basis or sufficient safeguards.
The regulator stated that companies handling sensitive personal information must regularly review their data protection practices and apply strong safeguards to prevent unauthorized access and data exposure.