Home > Business > Finance

FSC plans to introduce fines for security breaches in wake of Lotte Card hack

Published: 19 Sep. 2025, 19:00 Updated: 21 Sep. 2025, 18:46

Financial Services Commission Vice Chairman Kwon Dae-young speaks during a joint press briefing with the Ministry of Science and ICT at the government complex in Jongno District, central Seoul, on Sept. 19. [YONHAP]

The Financial Services Commission (FSC) announced plans to swiftly introduce punitive fines for security breaches in the financial sector following the massive data leak at Lotte Card. The regulator also pledged to develop a comprehensive strategy to strengthen security capabilities across financial institutions.

“When security breaches occur, we will hold institutions accountable with penalties proportionate to the social impact. We will move quickly to implement punitive fines,” said FSC Vice Chairman Kwon Dae-young at a joint press briefing with the Ministry of Science and ICT on Friday.

Under the Personal Information Protection Act, revised in September 2023, fines can be imposed of up to 3 percent of a company’s total revenue. By comparison, the European Union allows penalties of up to 4 percent of revenue, while in the United States, class-action lawsuits and punitive damages have resulted in compensation reaching billions of dollars.

Public anger is particularly high because Lotte Card was among the companies embroiled in the 2014 mass leak of customer data from three card issuers, and now faces another major breach affecting 2.97 million customers.

“It is time to reflect on whether financial institutions have treated security investment too lightly, as if it were an unnecessary cost,” Kwon said. “To restore public trust, we will conduct rigorous inspections of security systems and immediately pursue fundamental reforms to prevent recurrence.”

The FSC said CEOs will be held directly responsible for promptly inspecting IT and information protection systems. The Financial Supervisory Service (FSS) and Financial Security Institute (FSI) will closely oversee the results.

Plans include granting chief information security officers (CISOs) greater authority to allocate budgets appropriately, raising disclosure standards for consumers, mandating faster recovery when breaches occur and obligating companies to provide remedies to victims.

“For the past decade, we left budget and staffing decisions up to companies, as there had been no major incidents, but this led to complacency,” Kwon said. “As digitization accelerates, vulnerabilities have increased, so we are considering placing security staff and organizations directly under CEO management.”

The FSC and FSI launched an on-site probe after Lotte Card reported the hack on Sept. 1. Investigators found that hackers infiltrated the company’s online payment server (WAS), installed malware and, between Aug. 14 and Aug. 27, stole 200 gigabytes of data.

The breach exposed personal and financial data from 2.97 million customers. Of those, 283,000 had card PINs and CVC codes stolen.

Lotte Card CEO Cho Jwa-jin and other company executives bow in apology during a press conference held in Jung District, central Seoul, on Sept. 18. [YONHAP]

Financial authorities have also faced criticism for responding too slowly to the breach.

“Our assessment was that the leaked information alone did not make fraudulent use possible," Kwon said. "Based on precise forensic results, we are categorizing customers by risk level and providing guidance accordingly.”

The incident has also cast doubt on the effectiveness of certification systems, as Lotte Card had only recently received Information Security Management System and Personal Information Protection (ISMS-P) certification from the FSI in July, just weeks before the hack occurred.

Observers note that despite repeated incidents, countermeasures often arrive too late. Following the 2014 breach involving more than 100 million card records, the FSI was established.

“IT security failures can undermine the very foundation of the nation,” said Kim Yeong-rin, a counsel at Barun Law and inaugural head of the FSI. “The level of accountability, including fines, must be raised, and because hacking methods keep evolving, financial institutions must adopt extremely detailed and adaptive security measures.”

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY PARK YU-MI [[email protected]]