South Korea: Lotte Card Fined Over 1.2 Million Data Leaks: A Security Reality Check
The Korea Communications Commission (KCC) has officially fined Lotte Card KRW 11.25 million (approx. $7,620) following a major security failure that left sensitive customer data exposed.
The fine, issued on April 29, 2026, comes after an investigation into a hacking incident last year revealed that the company had been storing critical information in "plain text"—essentially unencrypted and readable by anyone who gained access to the system.
What Went Wrong?
The KCC’s inspection found that Lotte Card skipped several fundamental security steps:
Zero Encryption: Resident registration numbers and payment connection data were stored in server logs without any encryption.
Poor Policy: The company lacked internal regulations for handling linked data safely.
No Playbook: There was no established plan on how to respond to a cyberattack or data breach.
The Human Impact
Because these security gaps persisted for months, a hacker was able to access the data of over a million people:
1.29 million individuals had their "linked information" exposed.
450,000 individuals had their Resident Registration Numbers (national ID numbers) compromised.
The Penalty & Future Outlook
While the fine amount might seem small compared to the scale of the leak, it represents a 50% increase over standard penalties because the KCC found the company’s negligence lasted for a prolonged period.
Looking Ahead: The KCC isn't stopping at a fine. They have issued formal recommendations for Lotte Card to overhaul its security. By May 2027, the company is required to implement stricter storage rules, including completely separating ID numbers from other data and ensuring full encryption.
Reference: https://www.mk.co.kr/en/it/12031205
Why this matters for us: This serves as a reminder that "security fundamentals", like encryption and having a clear response plan aren't just IT chores; they are the primary line of defense for our customers' trust.