MBK Partners denies negligence linked to Lotte Card data breach

A customer and an employee are seen at a customer service center set up at Lotte Card’s headquarters in Seoul, Friday, following a cybersecurity incident that exposed customers’ personal information. Yonhap

MBK Partners has denied allegations that it had neglected security investments in relation to a recent data breach at Lotte Card, asserting that it has been increasing its security-related spending steadily.

On Monday, the private equity firm said it had injected around 600 billion won ($430 million) over the past six years into information technology (IT) at the card issuer to enhance security.

A cyberattack recently hit Lotte Card's server, resulting in the leak of information for about 2.97 million people, or roughly one-third of its members.

Questions have been raised over insufficient security investment, with allegations that the company’s data security budget has declined since MBK's acquisition in 2019.

In response, MBK emphasized that Lotte Card’s total IT investment amounted to 592.1 billion won from 2020 to 2025, with 65.46 billion won dedicated to security, representing an average of 11 percent of overall IT spending.

The firm noted that IT expenditures from 2020 to 2024 equaled about 40 percent of the card issuer’s net income during the period and about 1.5 times the company’s total dividend payments.

“We view IT, security and governance as essential assets for maintaining corporate value and customer trust,” an MBK official said. “As we have consistently made substantial investments in these areas, allegations of negligence are unfounded. We will continue collaborating with other shareholders to further strengthen Lotte Card’s security framework.”

A Homeplus store in Seoul, Aug. 31 / Yonhap

The recent Lotte Card case has fueled negative public sentiment toward private equity funds (PEFs), which had already grown following the controversial corporate rehabilitation of Homeplus, also owned by MBK.

In this context, the Korea Institute of Finance has proposed that the registration of PEF operators be revoked if they commit serious legal violations. The Financial Services Commission (FSC), the country’s top financial regulator, is expected to move forward with strengthening regulations on the industry based on this commissioned report.

In the report obtained by Rep. Choo Kyung-ho of the main opposition People Power Party, the institute noted that a PEF operator’s registration may be revoked only if unlawful activities are repeated or ongoing under the current Capital Markets Act. It suggested, however, that the rules could be tightened to allow the FSC to cancel registration on its own authority in cases of serious legal violations, even if they are isolated incidents.

The institute also warned that the stability of the financial market could be at risk if major companies acquired by PEFs go bankrupt or if acquisition financing expands substantially. It recommended that reporting requirements on such risks be strengthened.

The FSC tasked the institute with a study on enhancing regulations for PEFs in late March, shortly after Homeplus filed for corporate rehabilitation with the Seoul Bankruptcy Court following a credit rating downgrade.

This sparked public uproar over allegations that MBK acquired the country’s second-largest supermarket chain using large-scale loans, prioritized repaying debt through the sale of prime stores and recouping investments via dividends, and then unexpectedly filed for corporate rehabilitation.