Lotte Card data breach sparks consumer concerns

The scale of the hacking at Lotte Card, which has more than 9.6 million members, is rapidly growing. The company initially reported that about 1.7 gigabytes of data had been leaked, but financial authorities now say the actual amount stolen may exceed 100 gigabytes. That is more than 10 times the 9.8 gigabytes of SIM card information leaked from SK Telecom in April. The number of affected customers, originally estimated in the tens of thousands, could rise to several million.

Lotte Card reported the hacking to the Financial Supervisory Service on Aug. 31. Hackers began attempting to infiltrate the company’s online credit card payment server by installing malicious code as early as Aug. 14. The company said it has found no confirmation that personal information was leaked, but financial authorities have not ruled out the possibility that customers’ payment requests and other personal data were compromised and continue to investigate.

Hacking incidents have occurred in quick succession across the domestic financial sector. This is the third such case since the start of the second half of the year, following breaches at SGI Seoul Guarantee and the Welcome Savings Bank Group. It is particularly concerning that the credit card industry has again suffered a large-scale breach; in 2014, more than 100 million personal records were exposed. That earlier incident, traced to a contract worker at a credit rating agency who removed customers’ personal data, payment account details, card numbers, and expiration dates from several card companies, left more than 20 million people inconvenienced and anxious.

Lotte Card was one of the three companies involved in that massive leak. What is more troubling this time is that the company did not realize a breach had occurred until 17 days after the hacking attempt began. If a leading card issuer’s security system has such a significant gap, how can customers trust it with their personal information? Lotte Card has said it will reissue cards for all customers, but fears that information could be used for criminal purposes are unlikely to be quickly allayed.

Security breaches at financial firms that handle customers’ money carry far greater risks and consequences than breaches in other sectors. Questions have been raised over whether MBK Partners, which acquired Lotte Card in 2019, underinvested in security. A thorough investigation and robust corrective measures are needed to prevent further damage.