A data breach at Lotte Card has exposed the personal details of 2.97 million South Koreans, with the sensitive unencrypted cardholder data of 280,000 individuals at a direct risk of exploitation for fraud.
In early September 2025, the company discovered that a cyber attack had leaked the personal information of nearly a third of its customers. Valued at over $1.4 billion (KRW 2 trillion) in 2024, Lotte Card is South Korea’s fifth card issuer, with more than 9.6 million customers, and a market share of over 10% in credit card transactions.
Upon learning of the data breach, Lotte Card notified South Korea’s privacy regulators and launched an investigation. The Financial Supervisory Service (FSS) and Korea Financial Intelligence Unit also initiated a probe into the cyber attack to determine its scope.
“We are working to complete the probe and may announce the result this week,” the FSS stated.
Lotte cardholder data breach worse than reported
The results of its investigation found that the Lotte cardholder data breach may have been worse than initially reported. For instance, the FSS found that the cyber attack had leaked 200 gigabytes of data, a far cry from the meager 1.7 gigabytes that Lotte had reported.
The data was pulled from transaction information stored on a compromised server between July 22 and Aug 27. It included sensitive details such as CVVs, card numbers, and card expiry dates.
While nearly 3 million customers were affected, the cardholder data of 280,000 customers was not encrypted, making it readily available for exploitation by cybercriminals. They also had enrolled for various payment services such as Naver Pay and Samsung Pay, and third-party e-commerce services.
However, no misuse has so far been reported, and the cardholder data for the remaining 2.69 million customers was encrypted, thus minimizing the risk of exploitation.
Lotte’s CEO also stressed that the leaked data could not be misused for offline purchases as additional details and verification processes were required for online transactions.
Nevertheless, Cho took responsibility for the data breach and apologized for the data breach and the anxiety it caused.
“I take responsibility for causing great concern and anxiety to our customers and sincerely apologize,” Cho said in a press conference.
Lotte to reimburse any losses
The company also said it would reissue new cards to severely affected customers and pay for any damages resulting from the cardholder data breach.
“We will take full responsibility and reimburse 100 percent of any losses stemming from this incident,” Cho added. “If secondary damages linked to the leak occur, we will also provide full compensation once the connection is confirmed.”
Lotte will also waive the next year’s annual fees for customers whose cards were reissued and offer 10-month interest-free installment payments until the end of the year.
The card issuer also promised to spend $79.30 million (KRW 110 billion) on data security in the next five years to prevent a similar data breach in the future.
Meanwhile, the cardholder data breach amplified the country’s president’s call for “fundamental comprehensive measures to minimize hacking damage.”
Lotte Card also faces potential regulatory action for failing to prevent the data breach, with the FSS promising to identify any potential violations and impose strict penalties as a warning to other companies.
In August 2025, South Korea’s Personal Information Protection Commission (PIPC) hit the country’s telecom giant SK Telecom with a $97.2 million (KRW 134.8 billion) fine for its alleged failure to prevent a data breach that impacted over 23 million people.
