No longer owner, Lotte Group still faces brand risk from Lotte Card hacking

Lotte Card's headquarters in central Seoul, Wednesday / Yonhap

The Lotte Card hacking incident, which may have compromised the personal information of millions of customers, has raised concerns that it could inadvertently damage Lotte Group’s overall brand image, as many consumers still perceive the card issuer as part of the group, industry officials said Wednesday.

In reality, Lotte Card’s largest shareholder is private equity firm MBK Partners, and the company has had no management ties with Lotte Group since it was sold in 2019. Nevertheless, the continued use of the Lotte brand name has left Lotte Group bearing the burden of potential reputational damage, they said.

Lotte Card reported the hacking incident to the Financial Supervisory Service (FSS) on Aug. 31. The FSS began an on-site inspection of the case on Sept. 2, which is now in its final stage, with results expected to be released as early as this week.

Initially, Lotte Card estimated the scale of the hacking incident at about 1.7 gigabytes of leaked data. However, subsequent on-site inspections suggest the breach was far more extensive.

The number of victims, once thought to be limited to tens of thousands, could in fact reach into the hundreds of thousands or even millions, considering Lotte Card has 9.6 million members.

“The scope of the damage is likely much greater than originally identified. Inspection results are expected to be disclosed this week if verification is completed,” an FSS official said.

The FSS, together with the Financial Security Institute, is focusing on potential secondary damages amid rising fears that the leaked data could be used for financial crimes.

The incident has put Lotte Card’s inadequate security measures under scrutiny. The company only became aware of the hacking attack on Aug. 31, 17 days after it happened, and its delayed response has also drawn criticism.

Unexpectedly, the repercussions are affecting Lotte Group as well, with the possibility that consumers may interpret the breach as a weakness in the group’s overall security.

“Few people realize that MBK Partners is Lotte Card’s main shareholder. Most still think Lotte Card is part of Lotte Group,” a retail industry insider said.

When Lotte Group shifted to a holding company structure in 2017, it became prohibited from owning financial subsidiaries under the country’s rules on the separation of industrial and financial capital, which are designed to prevent industrial capital from controlling financial institutions.

Consequently, Lotte Card and Lotte Insurance were sold to MBK Partners and JKL Partners, respectively, in 2019.

At the time, MBK acquired the card issuer on the condition of retaining the name “Lotte Card,” believing that launching a new brand would be costly and could undermine customer trust.

gettyimagesbank

Industry experts noted that criticism should be directed at MBK Partners for prioritizing profit over adequate security investment.

The payment management servers used by Lotte Card had vulnerabilities identified about a decade ago, which most financial institutions had since patched. However, Lotte Card did not implement these updates, leaving its systems exposed to the hacking attack.

“Although the crisis was caused by MBK’s negligence, the potential impact on the Lotte brand is concerning. But, as taking action is not easy, Lotte can only hope for a swift resolution, given the number of consumer-facing services its affiliates operate," another retail industry source said.

Meanwhile, with the extent of the hacking damage exceeding initial expectations, Lotte Card CEO Cho Jwa-jin is expected to issue a public apology and announce response measures as early as this week.

Attention is focused on whether Cho’s announcement will include not only practical steps like card replacements but also compensation for affected customers.

“The inspection is still ongoing. Once the final scope of the damage is confirmed, we will inform consumers and outline our response plan accordingly,” a Lotte Card official said.

Following a hacking incident earlier this year, SK Telecom provided users with an additional month of discounts at T Membership partner stores as a form of compensation.