Lotte Card, a major South Korean credit card issuer, suffered a significant data breach that exposed the personal information of 2.97 million customers. The incident has triggered widespread consumer anxiety and regulatory scrutiny, particularly as investigations revealed that the company allocated only 0.3% of its annual budget to cybersecurity the lowest among its peers despite having one of the highest ratios (15.5%) of IT staff dedicated to information security. The breach underscores systemic vulnerabilities in the credit card industry, where companies collectively spend just 10% of their IT budgets on cybersecurity, leaving critical customer data at risk. The South Korean government is now considering stricter penalties for firms failing to protect against cyberattacks, while lawmakers question whether regulatory oversight itself needs strengthening. The breach has eroded public trust and highlighted the mismatch between security investments and the growing sophistication of cyber threats targeting financial institutions.
TPRM report: https://www.rankiteo.com/company/lotte-card
"id": "lot2134121092525",
"linkid": "lotte-card",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2.97 million',
'industry': 'Financial Services',
'location': 'South Korea',
'name': 'Lotte Card',
'type': 'Credit Card Issuer'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'Shinhan Card',
'type': 'Credit Card Issuer'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'Samsung Card',
'type': 'Credit Card Issuer'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'BC Card',
'type': 'Credit Card Issuer'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'Hyundai Card',
'type': 'Credit Card Issuer'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'KB Kookmin Card',
'type': 'Credit Card Issuer'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'Woori Card',
'type': 'Credit Card Issuer'},
{'industry': 'Financial Services',
'location': 'South Korea',
'name': 'Hana Card',
'type': 'Credit Card Issuer'}],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '2.97 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal Information'},
'date_publicly_disclosed': '2023-09-28',
'description': 'A data breach at Lotte Card exposed the personal information '
'of 2.97 million customers, raising concerns over '
'cybersecurity investments in the credit card industry. '
'Despite increases in IT staffing and budgets, only around 10% '
'of resources were allocated to information security across '
'major card issuers. Lotte Card, in particular, spent only '
'0.3% of its annual budget on cybersecurity this year, the '
'lowest among peers. The breach has prompted calls for '
'stricter government penalties and improved response measures.',
'impact': {'brand_reputation_impact': 'Negative (public backlash, criticism '
'for inadequate security investments)',
'customer_complaints': 'Increased (consumer anxiety intensified)',
'data_compromised': ['Personal Information'],
'identity_theft_risk': 'High (personal information of 2.97 million '
'customers exposed)',
'legal_liabilities': 'Potential (government signaling tougher '
'penalties)'},
'investigation_status': 'Ongoing (government examining responsibility and '
'response measures)',
'lessons_learned': 'Inadequate allocation of IT budgets to cybersecurity '
'(only ~10% across major issuers, as low as 0.3% for Lotte '
'Card) and shortage of specialized security personnel '
'contribute to heightened vulnerability. Government '
'oversight and stricter penalties may be necessary to '
'enforce better security practices.',
'post_incident_analysis': {'root_causes': ['Insufficient cybersecurity budget '
'allocation (0.3% of annual budget '
'for Lotte Card, ~10% '
'industry-wide).',
'Shortage of specialized '
'cybersecurity personnel despite '
'high IT workforce ratios in some '
'companies (e.g., Lotte Card at '
'15.5%).',
'Lack of government enforcement or '
'penalties for inadequate security '
'measures.']},
'recommendations': ['Increase allocation of IT budgets to cybersecurity, '
'especially for companies handling sensitive customer '
'data.',
'Hire and retain specialized cybersecurity personnel to '
'address workforce shortages.',
'Implement stricter government regulations and penalties '
'for companies failing to protect customer data.',
'Conduct regular audits of cybersecurity spending and '
'personnel allocation across financial institutions.'],
'references': [{'date_accessed': '2023-09-28',
'source': 'Financial Supervisory Service (FSS) data as cited '
'by Rep. Kang Min-kuk and Rep. Kim Sang-hoon '
'(People Power Party, PPP)'},
{'date_accessed': '2023-09-28',
'source': 'Statements from Rep. Yoon Han-hong (People Power '
'Party, PPP)'},
{'date_accessed': '2023-09-28',
'source': 'Credit card industry official (unnamed)'}],
'regulatory_compliance': {'legal_actions': 'Potential (government signaling '
'tougher penalties)'},
'title': 'Lotte Card Data Breach Exposes Personal Information of 2.97 Million '
'Customers',
'type': 'Data Breach'}