Lotte Card fined 9.6 billion won for leaking users' social registration numbers
Published: 12 Mar. 2026, 15:00
Updated: 12 Mar. 2026, 18:02
![Lotte Card's headquarters in Jung District, central Seoul, is seen on July 14, 2025. [YONHAP]](https://koreaseafood.online/data/photo/2026/03/12/8d5b0097-f39c-4cf2-9573-bcb5a920ab52.jpg)
Lotte Card's headquarters in Jung District, central Seoul, is seen on July 14, 2025. [YONHAP]
Lotte Card was fined 9.6 billion won ($6.5 million) by the Personal Information Protection Commission (PIPC) after 450,000 users' social registration numbers were leaked.
The PIPC decided to impose an administrative fine of 9.62 billion won and a penalty of 4.8 million won on Lotte Card for violations of the Personal Information Protection Act, the PIPC said Thursday. The commission also issued corrective orders and a public disclosure order. The decision was finalized at a full commission meeting held on Wednesday.
The investigation began after the Financial Supervisory Service notified the PIPC in September of last year of a reported leak of Lotte Card’s personal credit information.
The probe found that a hacking attack on Lotte Card’s online simple payment system exposed log files containing the personal credit information of about 2.97 million people. Among them, about 450,000 social registration numbers, which are akin to U.S. social security numbers, were also included.
Because issues related to the handling of personal credit information fall primarily under the Credit Information Use and Protection Act, financial authorities and the privacy watchdog divided the investigation.
Financial authorities examined possible violations of the Credit Information Use and Protection Act such as failure to meet security obligations, while the PIPC focused on whether the handling of social registration numbers violated the Personal Information Protection Act.
The investigation found that Lotte Card exceeded the legally permitted scope of processing social registration numbers by recording a range of personal information, including social registration numbers, in plain text in log files generated during online payments.
![An official from the Personal Information Protection Commission speaks during a press briefing at the government complex in Jongno District, central Seoul, on March 12. [YONHAP]](https://koreaseafood.online/data/photo/2026/03/12/7ea80320-aa72-47e7-bebe-3060f0885158.jpg)
An official from the Personal Information Protection Commission speaks during a press briefing at the government complex in Jongno District, central Seoul, on March 12. [YONHAP]
Under the current Personal Information Protection Act, the processing of social registration numbers is allowed only in limited cases such as when it is required or permitted by law or presidential decree.
Investigators also found that encryption measures for the log files were insufficient. Log files are supposed to record only the minimum amount of personal information necessary, but Lotte Card had stored several types of information, including social registration numbers, without separate review.
The commission believes this practice was one of the main factors that led to the hacking incident.
Along with the fines and penalties, the commission ordered Lotte Card to review its overall handling of personal information and improve its protection system, including strengthening the responsibility and independence of the chief privacy officer.
The PIPC also plans to conduct a pre-emptive inspection of how financial companies handle social registration numbers following the incident, the commission said.
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY JEONG JAE-HONG [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)