Lotte Card — majority-owned by private equity firm MBK Partners — confirmed that a hacking incident exposed the personal data of 2.97 million customers and issued a public apology. Company officials and financial regulators say roughly 200 gigabytes of data were leaked, a figure far larger than the 1.7 gigabytes Lotte Card initially reported to authorities on Sept. 1.
Scope Of the Leak and Sensitive Card Data Exposed
The Financial Supervisory Service and the Korea Financial Intelligence Unit discovered the breach during an investigation and found the more extensive dataset. Of the 2.97 million affected customers, 280,000 had highly sensitive credit data exposed, including full card numbers, CVC codes and resident registration numbers. Those high-risk records appear to belong to cardholders who registered their card details with payment platforms such as Naver Pay, Samsung Pay or certain online shopping services between July 22 and Aug. 27.
Company statements say the remaining 2.69 million customers had only partially encrypted card information in the leak, and Lotte Card considers the risk of fraudulent use for those records to be negligible. The firm also noted that, to date, no confirmed misuse of the exposed card data has been reported.
Company Response, Customer Outreach and Compensation
At a central Seoul press conference, Lotte Card CEO Cho Jwa-jin offered a formal apology. “I take responsibility for causing great concern and anxiety to our customers and sincerely apologize,” he said.
Lotte Card began contacting affected customers on Thursday, sending text messages to all 2.97 million people whose data was part of the incident. The 280,000 customers identified as high risk are receiving phone calls urging them to request immediate card reissuance. Customers can verify whether their information was compromised via Lotte Card’s website or by calling the company’s support line at 1588-8100.
The company pledged full financial responsibility for losses. “We will take full responsibility and reimburse 100 percent of any losses stemming from this incident,” Cho said. He added that Lotte Card will also compensate confirmed secondary damages related to the leak once a causal link is established.
Lotte Card announced a relief package for affected customers: interest-free installment payment plans for up to 10 months available through the end of the year, and a waiver of next year’s annual fee for customers whose cards must be reissued.
Cho signaled that leadership changes are possible, saying he may step down by year-end as part of a broader management shake-up to restore trust.
Regulatory Fallout and Potential Penalties
Regulators convened an emergency meeting and warned of strict enforcement. Financial authorities said they will identify any violations of information protection and IT-security rules and “impose strict penalties under the principle of making an example.” Officials also indicated possible regulatory reforms, including new punitive fines for major security breaches.
Credit ratings and market consequences may follow. In a contemporaneous report, NICE Investors Service estimated Lotte Card could face fines up to 80 billion won (about $57.7 million) tied to the breach. The ratings agency said it will evaluate the scale of regulatory sanctions and any customer attrition before deciding whether to adjust the company’s credit rating.
Investigations and Next Steps
Regulators and Lotte Card are continuing technical and forensic investigations to determine how the attackers accessed the systems and why the initial reported leak size differed from the later findings. Company officials emphasized priority measures aimed at the 280,000 high-risk customers but said they have notified the full set of affected users.
Lotte Card said it will cover reissuance costs and provide ongoing support to impacted customers. The company also pledged to cooperate with regulators and law enforcement as authorities assess legal violations and potential systemic failures.
Broader Industry Implications
The incident underscores the exposure that comes from card-on-file relationships with digital wallets and third-party platforms when registration windows or token storage practices are in use. For Lotte Card, the breach affects roughly 30 percent of its reported 9.65 million customer base and will likely prompt heightened scrutiny from both regulators and business partners.
