South Korean regulators have fined credit card provider Lotte Card 9.6 billion won (about $6.5 million) after a cyberattack exposed the sensitive personal data of 2.97 million customers.
Among the data exposed were around 450,000 resident registration numbers, which form the backbone of South Korea’s highly sensitive national identification system. The attackers also gained access to the personal credit information of nearly 3 million users.
The penalty was issued by the Personal Information Protection Commission (PIPC), which concluded that the company violated the country’s Personal Information Protection Act and failed to properly safeguard sensitive data. The fine is one of the larger penalties imposed by South Korea’s financial watchdogs.
Inadequate data protection
Investigators found that the company allowed key data to be stored in system logs in plain text without adequate protection. Resident registration numbers are among the most sensitive identifiers in South Korea, and their exposure raises the risk of identity theft and financial fraud.
Regulators said companies should only process such identifiers in limited circumstances and must implement strong security controls when they do. The commission concluded that Lotte Card processed the data beyond the scope allowed by law.
In addition to imposing the fine, the watchdog also ordered the company to strengthen its data protection measures and improve oversight of how personal information is handled within its payment systems. They also said the firm must publish details about the incident on its website to inform customers.
Growing regulatory pressure
The commission said it plans to use this incident to launch a broader scrutiny across the financial sector. Officials said they plan to conduct inspections of financial companies next month to make sure they aren’t improperly processing resident registration numbers without a legal basis.
"This incident should serve as a wake-up call for businesses to remain vigilant against misuse and abuse of personal information," a commission official said.
"They must regularly review and improve their data handling practices in accordance with privacy protection principles."
The incident underscores growing regulatory pressure on financial institutions in South Korea to tighten cybersecurity and data protection practices, as recent analysis shows that large data leaks in the country are fueling more targeted phishing campaigns.
Coupon, the country’s e-commerce giant, recently suffered a massive breach exposing 33.7 million customer accounts. In another case, investigators examined a suspected ransomware attack at Kyowon Group that could potentially affect up to 9.6 million user accounts.
Your email address will not be published. Required fields are markedmarked