Regulators urged to investigate Lotte Card
April 17, 2026
Rep. Lee In-young urged regulators to investigate Lotte Card, claiming the issuer had taken on the losses linked to troubled discount chain Home Plus.
South Korean financial regulators are moving to impose severe penalties, including a multi-month business suspension, on Lotte Card following a catastrophic data breach last year that compromised the personal information of nearly three million customers. The nation’s Financial Supervisory Service (FSS) has formally notified the credit card company of its intent to levy sanctions that include a proposed 4.5-month suspension of business and a 5 billion won fine. This action follows a separate, heavy fine from the country's privacy watchdog and signals a zero-tolerance approach to data security failures in the financial sector.
The regulatory backlash stems from a 2025 hacking incident that exposed the data of approximately 2.97 million Lotte Card users, representing nearly a third of its customer base. The breach was particularly damaging as it included highly sensitive information, such as the resident registration numbers of 450,000 people and the card numbers, expiration dates, and CVC security codes for about 280,000 customers. Investigators found that the cyberattack exploited a known security vulnerability that had remained unpatched since 2017, and that the company had stored critical information, including social registration numbers, in unencrypted plain text.
This is the second major regulatory blow for Lotte Card this year. In March, the Personal Information Protection Commission (PIPC) imposed a 9.62 billion won penalty after its own investigation concluded the company had violated the Personal Information Protection Act. The FSS investigation focused more specifically on violations of financial laws, including the Credit Information Act and the Electronic Financial Transactions Act, examining the scale of the leak and failures in security protocols. The proposed penalties are now under review, with a final decision to be confirmed by the overarching Financial Services Commission.
The incident and the resulting regulatory actions have placed Lotte Card's management and operational history under a microscope. The company had previously been downgraded to "poor" for consumer protection by the FSS in December 2025, citing data protection issues. Reports from last year also pointed to inadequate security measures and having the lowest number of IT staff in the credit card industry, suggesting the breach was a predictable outcome of systemic weaknesses. The company's majority shareholder, private equity firm MBK Partners, has also faced criticism over allegations of underinvestment in the firm's IT infrastructure since its acquisition.
If the FSS's proposed sanctions are finalized, Lotte Card would be prohibited from acquiring new customers or launching new incidental business for the duration of the suspension, dealing a significant blow to its operations and market standing. The move is seen as one of the most severe sanctions since a widespread data leak event shook the South Korean card industry in 2014, highlighting the increasing pressure on financial institutions to safeguard consumer data or face substantial consequences. For now, the industry is watching closely as the final decision from the Financial Services Commission will not only determine Lotte Card’s immediate future but also set a new benchmark for regulatory accountability.
Source: upi