Lotte Card breach could expose data of millions

Lotte Card, which has about 9.6 million members, has confirmed that the volume of data stolen in a hacking attack has exceeded 100 gigabytes, nearly 100 times the amount it initially reported. With telecom companies such as SK Telecom, insurance firms, and now credit card companies falling victim to hacks, consumer anxiety is spreading. Concerns are also rising over potential breaches at secondary financial institutions, such as savings banks, which are considered more vulnerable. As hacking becomes more sophisticated and easier through the use of new technologies, including artificial intelligence, experts warn that companies must urgently strengthen their security systems.

According to financial authorities and industry officials on Sept. 17, an investigation by Lotte Card, the Financial Supervisory Service, and the Financial Security Agency into the August hacking incident found that more than 100 gigabytes of data had been leaked. “We estimate the breach involved at least 100 gigabytes, a substantial portion of which is believed to be personal information," a senior financial official said. "If Lotte Card had acted more aggressively with card reissuance immediately after the incident, the damage from personal information leaks could have been minimized.”

By comparison, 9.82 gigabytes of personal data belonging to roughly 23 million people were leaked from SK Telecom in April. The Lotte Card breach therefore involved roughly ten times more data than the leak at the nation’s largest telecom company. "The company is continuing to verify whether personal information was compromised,” a Lotte Card official said.

Lotte Card had initially reported the hacking to financial authorities on Sept. 1 and estimated the leaked data at about 1.7 gigabytes. The actual volume now appears to be nearly 100 times higher than that initial figure.

As the scale of the breach grew far beyond initial estimates, the presidential office began closely monitoring potential impacts on financial consumers. President Lee Jae-myung received a direct briefing on the matter from Oh Hyun-joo, the third deputy director of the National Security Office, on Sept. 17 and reportedly urged that the situation be carefully managed.

Financial authorities plan to hold an emergency meeting soon. “We aim to clarify the government’s stance on the unannounced Lotte Card inspection and release it as quickly as possible," a senior official explained. Lotte Card CEO Cho Jwa-jin is expected to personally apologize to the public and announce measures to address the damage.

Experts stressed that companies need to increase investment in cybersecurity and that the government should streamline its agencies to enhance oversight and management. “Hacking is becoming more sophisticated due to new attacks that exploit AI and other emerging technologies," said Kwak Jin, a professor of cybersecurity at Ajou University. "The government must also consolidate the dispersed roles of the Personal Information Protection Commission and the Korea Internet & Security Agency to respond more closely and effectively.”


강우석 wskang@donga.com