South Korea's Lotte Card fined £2.51m for data protection failures

South Korean credit card company Lotte Card has been notified by the country’s financial regulator of an impending fine of 5 billion won, or £2.51 million, for failing to protect customer data during a major breach incident last year.

 

The Seoul-headquartered credit card company suffered a major data breach incident in 2025 that involved malicious actors hacking its online payment system and exfiltrating the personal and financial information of approximately 2.97 million customers, including credit card numbers, expiration dates and CVC numbers related to 280,000 customers.

 

The data breach incident impacted close to a third of the company’s customer base of over 9.6 million people, attracting swift investigation from the Personal Information Protection Commission, South Korea’s data protection watchdog. 

 

According to local media reports, the cyber incident revealed significant security weaknesses in Lotte Card’s information systems. The compromised payments server had an unpatched vulnerability dating back to 2017, almost half of the compromised data was unencrypted, and Lotte Card’s majority shareholder, MKB Partners, was accused of not dedicating sufficient investments to secure the credit card company’s IT systems.

 

Established in 2002, Lotte Card forms part of the LOTTE Group’s distribution business across South Korea which includes a number of department stores, hypermarkets, home shopping, movie theaters and coffee shops. The company’s cards can be used in Lotte stores and establishments nationwide and come with curated offerings and discounts.

 

In March, the Personal Information Protection Commission completed its investigation into the data security incident at Lotte Card and issued an administrative fine of 9.62 billion won (£4.8 million) and additional penalty of 4.8 million won (£2,424) on Lotte Card for violating provisions of the Personal Information Protection Act.   

 

Earlier this week, the Financial Supervisory Service, South Korea’s financial regulator, also sent a notice to Lotte Card to convey its decision to penalise the company to the tune of 5 billion won (£2.51 million) and enforce business suspension of more than four months. 

 

The financial services watchdog based its decision on the severity of violations of the Credit Specialized Financial Business Act, the Credit Information Act, and the Electronic Financial Transactions Act. The decision will be finalised by the Financial Services Commission in a review meeting in due course.