Zoonop

Lotte Card Breach Exposes Data of 2.97 Million Customers, Sparks Regulatory Scrutiny

Image for Lotte Card Breach Exposes Data of 2.97 Million Customers, Sparks Regulatory Scrutiny

Seoul, South Korea – Lotte Card, one of South Korea's largest credit card issuers, has confirmed a significant data breach affecting approximately 2.97 million customers. The incident, which saw hackers compromise a wide array of personal and financial information, occurred in mid-August 2025 and has since prompted a thorough investigation by the nation's data protection watchdog. The breach was initially reported by cybersecurity entities, including vx-underground, highlighting the severity of the compromise.

The compromised data includes personal identification numbers, internal IDs, and contact information for nearly 3 million individuals. For a subset of 280,000 customers, highly sensitive financial details such as card numbers, expiration dates, and verification codes were also exposed, raising concerns about potential card fraud. Lotte Card, which serves around 9.6 million cardholders, acknowledged the breach after it was discovered during a routine server check.

Lotte Card CEO Cho Jwa-jin issued a public apology, pledging full compensation for damages and announcing plans to prioritize issuing new credit cards for at-risk customers. The company has committed 110 billion won ($79.30 million) over the next five years to enhance its data security infrastructure. Initial reports of 1.7 gigabytes of leaked data were later revised to a staggering 200 gigabytes following investigations by the Financial Supervisory Service.

The breach has been attributed to an unpatched vulnerability in a payments server that had gone unnoticed since 2017, despite a security fix being released that year. This revelation has drawn criticism, with local media alleging that cybersecurity investments may have been neglected since private equity firm MBK Partners acquired a majority stake in Lotte Card in 2019. MBK Partners, however, countered these claims, stating it had invested approximately 600 billion won ($430 million) in Lotte Card's IT over the past six years.

South Korea's Personal Information Protection Commission (PIPC) has launched an investigation into Lotte Card, working with financial regulators to assess the full scope of the breach and determine any violations of data protection laws. President Lee Jae Myung has ordered the government to develop "fundamental comprehensive measures to minimise hacking damage." The ruling People Power Party is reportedly planning to summon MBK chairperson Kim Byung-ju for a parliamentary audit to address accountability for the incident.