Snowballing Lotte Card hack puts millions at risk

Regulators probe larger-than-expected breach as pressure mounts on card issuer, owner MBK Partners

Lotte Card headquarters in central Seoul, Wednesday. (Yonhap)

South Korean authorities said Wednesday that a hacking attack on Lotte Card may have exposed the personal data of millions of customers, with the scale of the breach appearing far larger than initially reported.

The incident, first disclosed early this month by the nation’s fifth-largest card issuer, is now under investigation, as regulators work to determine the full extent of the damage.

Authorities believe the personal information of millions of Lotte Card’s 9.6 million customers may have been stolen. Early reports suggested 1.7 gigabytes of data had been leaked, but the actual figure is expected to be much larger.

The breach went undetected for nearly two weeks. The first attack occurred on Aug. 14, with additional attempts on Aug. 15 and 16, but the company did not detect malicious code until Aug. 26. An internal review found a breach on Aug. 31, after which Lotte Card reported the incident to the Financial Supervisory Service.

Reports indicate data was exfiltrated on the first two days, while the Aug. 16 attempt failed. Early investigations by the FSS indicate that the stolen data likely includes payment histories and other sensitive cardholder details.

“Authorities are still conducting an on-site investigation, and we are awaiting the results to determine the exact details of the breach and the extent of the damage,” a Lotte Card official said.

The probe is anticipated to conclude as early as this week, after which Lotte Card will notify affected customers. CEO Cho Jwa-jin is expected to issue a public apology and outline response measures.

The incident comes amid a series of large cyberattacks this year that have exposed weaknesses in Korea’s digital infrastructure.

In April, the nation’s largest mobile carrier, SK Telecom, suffered a breach of its USIM server network. In August, unauthorized micropayments on KT Corp. users’ phones revealed an unregistered micro base station, and investigations are ongoing. Major breaches also occurred at GS Shop and Yes24.

In response, President Lee Jae Myung has called for tougher cybersecurity rules, including heavier sanctions and punitive fines for companies that repeatedly suffer security incidents.

MBK Partners, which owns Lotte Card, faces added scrutiny over its profit-first management, a long-standing criticism of some private-equity stewardship of Korean companies. The firm is also under investigation in connection with the Homeplus liquidity crisis.

On Wednesday, FSS Gov. Lee Chan-jin, meeting with card issuer CEOs, said, “Companies must reflect on whether they have focused only on short-term results through cost cutting while neglecting long-term investment in information security."

“Spending to protect financial consumers’ data is not merely a cost, but an essential expenditure for a financial company’s survival and a core investment,” he added, urging CEOs to adopt a "zero-tolerance" principle in reexamining cybersecurity infrastructure and meeting information-protection obligations.

With the breach, MBK Partners’ planned sale of Lotte Card faces fresh headwinds. The firm has owned about an 80 percent stake since 2019 and has sought an exit since 2022. It revived the process this year at about 2 trillion won ($1.45 billion), but talks have stalled amid valuation gaps and a deteriorating financial position at Lotte Card.