Korea's fifth-largest card issuer hit by 200-gigabyte breach, with 280,000 customers at direct risk

Lotte Card said a hacking attack compromised the personal data of 2.97 million users, making it one of the biggest data breaches ever recorded in Korea.

CEO Cho Jwa-jin on Thursday disclosed the findings of a probe by the Financial Supervisory Service and Financial Security Institute, marking the first public announcement since regulators began investigating on Sept. 2. He apologized to customers and outlined the company’s response plan.

“The probe found that more than 200 gigabytes of data had been breached,” Cho said, adding that “the total number of users affected is 2.97 million, with the breach occurring on the company’s only payments server.”

The stolen information was generated and collected during online transactions processed through the compromised server between July 22 and Aug. 27. It includes connection information, virtual payment codes, internal identification numbers and the type of simple payment service used.

Of those affected, about 280,000 customers face direct risk of unauthorized use because their card numbers, expiration dates and security codes were exposed while registering payment information online or on e-commerce platforms, Cho said.

Lotte Card has started notifying those most at risk to suspend and reissue their cards, with about 55,000 completing the process as of Wednesday.

The remaining 2.69 million users, whose leaked data is considered less sensitive, face no risk of illegal use and do not need to reissue their cards, CEO Cho Jwa-jin said. He added that offline transactions were not affected.

Lotte Card is Korea’s fifth-largest card issuer, serving more than 9.6 million customers and processing about 10 percent of the nation’s daily credit card spending.

About one-third of its users were affected, with over 200 gigabytes of data stolen — more than 100 times the 1.7 gigabytes initially reported and over 20 times the amount taken in the recent SK Telecom USIM server hack.

No unauthorized transactions have been detected so far.

The company said it would take full responsibility. “We will not pass on any losses to customers,” Cho said, adding that “even in cases of secondary damage, if found to be related, we will provide full compensation.”

The company will offer all affected customers a 10-month interest-free installment plan through year-end, free financial-damage monitoring and, for the 280,000 users prioritized for reissuance, a full waiver of next year’s annual fees.

Investigators found that the breach was exacerbated by lax cybersecurity management. Attackers scanned the payments server on Aug. 12, installed malicious code the next day and exfiltrated data on Aug. 14 and 15. Lotte Card did not detect suspicious activity until Aug. 26 during a routine server check and confirmed the breach on Aug. 31, leaving the system exposed for nearly two weeks.

Cho pledged to invest 110 billion won ($79.2 million) over the next five years to bolster information security. “We will raise our information security budget to 15 percent of total IT spending, the highest level in the industry,” he said, promising to replace key servers and upgrade core security systems within three months.

“We will use this as an opportunity to fundamentally overhaul not just security but the company’s entire management framework,” he added.