South Korea probes credit card company data breach affecting 3 million customers

South Korea’s data protection watchdog has launched an investigation into a cyberattack at Lotte Card, the country’s fifth-largest card issuer.

The Personal Information Protection Commission (PIPC) said on Monday it was working with financial regulators to determine the full scope of the breach, which exposed the personal data of about 3 million customers, and whether Lotte Card had violated the country’s data protection laws.

Lotte Card confirmed last week that hackers accessed a wide range of customer data in mid-August, including identification numbers, internal IDs and contact information. Sensitive financial details such as card numbers, expiration dates and verification codes belonging to thousands of customers were also compromised.

The Seoul-based lender, which serves around 9.6 million cardholders and processes roughly 10% of the nation’s daily credit card spending, has begun notifying at-risk customers to suspend or reissue cards. The company said no unauthorized transactions had been detected.

At a press conference on Thursday, Chief Executive Cho Jwa-jin made a public apology and pledged full compensation for damages. “We will use this as an opportunity to fundamentally reform not just security but the company’s entire management framework,” he said.

Local media reported that unnamed attackers exploited an unpatched vulnerability in a payments server that had gone unnoticed since 2017. Although a security fix was released that year, the company admitted one server, used for a little-used overseas payment service, was not updated.

Only about 56% of the 2,700 files believed to have been leaked were encrypted, according to reports. The breach went undetected until a routine server check nearly two weeks after the hackers gained access.

The incident has sparked debate over whether private equity firm MBK Partners, Lotte Card’s majority owner since 2019, neglected cybersecurity investment. Local media alleged the company’s security budget had fallen since the takeover.

MBK rejected the criticism, saying it had injected about 600 billion won ($430 million) into information technology at Lotte Card over the past six years, including security. “We view IT, security and governance as essential assets for maintaining corporate value and customer trust,” an MBK official said.

Still, the ruling People Power Party reportedly plans to summon MBK chairperson Kim Byung-ju to a parliamentary audit, arguing the firm should be held accountable for the scale of the breach.