Lotte Card hack exposes data of 3 million users

Korea's fifth-largest card issuer hit by 200-gigabyte breach, with 280,000 customers at direct risk

Lotte Card CEO Cho Jwa-jin (second from left) bows in apology for a recent hacking scandal during a press briefing held in Seoul on Thursday. (Yonhap)

Lotte Card said a hacking attack compromised the personal data of 2.97 million users, marking the biggest data breach this year.

CEO Cho Jwa-jin on Thursday disclosed the findings of a probe by the Financial Supervisory Service and Financial Security Institute, in the first public announcement since regulators began investigating on Sept. 2. He apologized to customers and outlined the company’s response.

“The probe found that more than 200 gigabytes of data had been breached,” Cho said, adding that “the total number of users affected is 2.97 million, with the breach occurring on the company’s online payments server.”

The stolen information comprises that which was generated and collected during online transactions processed through the compromised server between July 22 and Aug. 27. It includes connection information, virtual payment codes, internal identification numbers and the type of easy payment service used.

Of those affected, about 280,000 customers face direct risks of unauthorized use because their card numbers, expiration dates and security codes were exposed while registering payment information online or via e-commerce platforms, Cho said.

No unauthorized transactions have been detected so far.

Lotte Card has started notifying those most at risk to suspend and reissue their cards, with about 55,000 having completed the process as of Wednesday.

The remaining 2.69 million users, whose leaked data is considered less sensitive, face no risk of illegal use and do not need to reissue their cards, CEO Cho Jwa-jin said. He added that offline transactions were not affected.

Lotte Card is Korea’s fifth-largest card issuer, serving more than 9.6 million customers and processing about 10 percent of the nation’s daily credit card spending.

About one-third of its users were affected, with over 200 gigabytes of data stolen — more than 100 times the 1.7 gigabytes initially reported and over 20 times the amount taken in the recent SK Telecom USIM server hack.

The company said it would take full responsibility. “We will not pass on any losses to customers,” Cho said, adding that “even in cases of secondary damage, if found to be related, we will provide full compensation.”

The company will offer all affected customers a 10-month interest-free installment plan through the end of the year, free monitoring for financial damage and, for the 280,000 users prioritized for reissuance, a full waiver of next year’s annual fees.

Lotte Card CEO Cho Jwa-jin speaks during a press briefing about a recent hacking scandal held in Seoul on Thursday. (Yonhap)

Investigations found that lax cybersecurity management worsened the breach. Attackers first scanned the payments server for vulnerabilities on Aug. 12, installed malicious code the next day and exfiltrated 1.7 gigabytes of data on Aug. 14 and 15.

Separately, 200 gigabytes of personal data was stolen between Aug. 15 and 27, with attackers using a proxy-enabled web shell on the payments server to run a file transfer protocol and to repeatedly extract transaction log files. Only 56 percent of the 2,700 leaked files were encrypted.

Lotte Card did not detect the intrusion until a routine server check on Aug. 26. It finally confirmed the breach on Aug. 31, leaving the system exposed for nearly two weeks. Exposure could have been greater had the breach been discovered later.

What makes the case more troubling is that the breach was preventable but allowed to occur due to negligent security oversight. The company said the exploited vulnerability was first discovered in 2017. Although a security patch was distributed that year, the company said that one server, used for a rarely accessed overseas payment service, was missed during the patching process, leaving a critical hole unaddressed for years.

CEO Cho Jwa-jin acknowledged the gravity of the situation and vowed a sweeping overhaul of the company’s systems.

“We will use this as an opportunity to fundamentally reform not just security but the company’s entire management framework,” he said.

Cho pledged to invest 110 billion won ($79.4 million) over the next five years to strengthen information security, raising the security budget to what he called “the industry’s highest,” at 15 percent of total IT spending.

He also vowed to institutionalize preventive measures by creating an internal red team and overhauling IT infrastructure with a focus on consumer protection. By year-end, the company plans to replace servers, upgrade core systems and carry out a companywide personnel shake-up.