 |
Photo courtesy of Yonhap News |
[Alpha Biz= Kim Jisun] Lotte Card has been fined 9.62 billion won ($7.2 million) for a data breach that exposed the personal information of 2.97 million customers, South Korea’s Personal Information Protection Commission (PIPC) said on March 12.
The regulator imposed the fine along with an additional penalty of 4.8 million won for violations of the Personal Information Protection Act.
The breach occurred in September last year, when hackers infiltrated Lotte Card’s online payment system and accessed log files containing users’ personal credit information. Among the leaked data were the resident registration numbers of about 450,000 individuals.
The exposed data accounted for roughly 30% of Lotte Card’s total customer base of 9.67 million.
The PIPC investigation found that Lotte Card failed to properly secure personal data, recording sensitive information—including resident registration numbers—in unencrypted plain text within system logs. The company also did not implement sufficient encryption measures for log files.
In addition, regulators said the company stored excessive personal information in logs without proper review, even though only minimal data should be recorded when unavoidable.
Authorities concluded that these shortcomings allowed the hacking incident to escalate into a large-scale personal data leak.
The probe began after the Financial Supervisory Service (FSS) notified the PIPC of Lotte Card’s report regarding the credit information breach.
Along with the financial penalties, the commission ordered Lotte Card to publicly disclose the sanctions on its website and overhaul its personal data protection systems, including reviewing and improving data handling practices.
The PIPC also said it plans to conduct a broader inspection of how financial institutions handle resident registration numbers later this month.
Alphabiz Reporter Kim Jisun(stockmk2020@alphabiz.co.kr)
