Lee Yeon-woo is a financial journalist at The Korea Times. Her wide range of reporting includes policies, macroeconomics, stock market, companies and even crypto. She is passionate about connecting the dots in Korean finance and making it easier for foreign nationals to understand. Based on her previous experience as a national reporter, she also has a keen interest in social issues within the sector, including gender equality and ESG. Your tips and insights are always appreciated. You can send them to yanu@koreatimes.co.kr.
Lotte Card apologizes for data breach affecting nearly 3 mil. customers
Lotte Card CEO Cho Jwa-jin, second from right, and other executives bow in apology during a press conference in Seoul, Thursday. Korea Times photo by Shim Hyun-chul
By Lee Yeon-woo
CEO vows full compensation, stronger security measures
Lotte Card said Thursday that a recent cyberattack led to the leak of personal information belonging to 2.97 million customers, nearly one-third of its total customer base, and pledged full compensation for any losses resulting from the breach.
"We sincerely apologize for the concern caused to our customers and relevant institutions," Lotte Card CEO Cho Jwa-jin said during a press conference Thursday. "Lotte Card will take full responsibility for the damage caused by this incident and fully compensate the affected amounts."
The compromised data, totaling 200 gigabytes, included information generated and collected during online payment processes, such as connection details, resident registration numbers, virtual payment codes and internal identification numbers.
Of the affected customers, approximately 280,000 had particularly sensitive data exposed, including card numbers, expiration dates and security codes, raising concerns over the potential risk of fraudulent use.
"There is a possibility of fraudulent use in cases where card data is manually entered into terminals, but as of now, no actual cases of damage have been confirmed," Cho stated. "There is no risk of fraudulent transactions in offline settings."
The breach was first discovered on Aug. 26, when the company found a massive malware infection during a routine server inspection.
On Aug. 31, signs of a data exfiltration attempt were detected, prompting an immediate investigation by an external cybersecurity firm. At the time, Lotte Card said that no external leakage of key customer information had been confirmed.
Lotte Card CEO Cho Jwa-jin speaks during a press conference in Seoul, Thursday. Korea Times photo by Shim Hyun-chul
However, a subsequent investigation by financial authorities in September revealed that personal information belonging to nearly 3 million customers had, in fact, been compromised.
Furthermore, although Lotte Card initially reported the scale of the breach as 1.7 gigabytes, the actual volume of leaked data turned out to be significantly larger.
In response to this incident, Lotte Card announced it will offer a 10-month interest-free installment plan, regardless of the purchase amount, to all customers affected by the breach, valid through the end of the year. The company will also waive the annual fee for the following year for the 280,000 customers eligible for card reissuance.
Beyond customer compensation, Lotte Card outlined steps to prevent future security breaches. The firm said it will strengthen its systems by activating a company-wide emergency response framework.
It also pledged to invest 110 billion won ($79.2 million) over the next five years to bolster its information security infrastructure, including the development of its own monitoring systems.
"Eliminating customer damage will be our top priority, and I will personally oversee the activation of a company-wide emergency response system," Cho said. "I promise to carry out a level of personnel reform that will be convincing to the market. That, of course, includes the possibility of my resignation."