The hacking incident at Lotte Card, which resulted in the leak of personal information from 2.97 million customers, has highlighted the lax attitude of the financial sector towards information security. One of the major issues identified is the careless response to security vulnerabilities that were first discovered in 2017 and not properly addressed for years, leaving a gap that was only found three days after financial authorities began their investigation. The financial authorities are expected to enforce strict accountability, looking into various regulatory violations including the delay in reporting the breach.
Shortly after Lotte Card reported the breach to financial authorities on the 1st, a joint investigation by the Financial Supervisory Service and the Financial Security Institute was launched on the 2nd. By the 4th, additional data leakage totaling 200 gigabytes had been identified, and by the 10th, log records suspected to be related to the leak were found and analyzed to confirm the extent and content of the initial data leak.
Lotte Card initially detected the malicious code infection only on the 15th of the previous month, which was more than two weeks after an attacker first infiltrated the online payment server on the 12th. Despite identifying a 17GB data leak by the 31st of the same month, Lotte Card’s initial response was inadequate as it claimed “no personal information leakage has been detected” before belatedly reporting the breach to the authorities.
The breach route further exposed Lotte Card’s insufficient information protection capabilities. The compromised customer information was leaked through an unpatched foreign-based payment gateway, exploited by an unknown hacker who infiltrated Lotte Card’s online payment server and installed malicious software, leaking a total of 200GB of data over 27 days starting on the 14th of the previous month.
Jo Jwa-jin, CEO of Lotte Card, explained that due to the absence of transactions with the payment service provider, the need for an upgrade was not recognized. He countered the criticism of prioritizing profitability over security investments. This explanation seems to be an attempt to defend against further revelations of regulatory violations and negligence during the future investigations by financial authorities.
The timing of Lotte Card’s recognition of the breach is also under scrutiny since the incident that occurred around August was not reported until September, highlighting a delayed response. The financial authorities are not ruling out the possibility that this hacking incident originated from neglecting information protection and security regulations. On the same day, the Financial Services Commission, led by Vice Chairman Kwon Dae-young, shared detailed leakage circumstances with related organizations and experts.
Vice Chairman Kwon emphasized that viewing security investments as merely additional costs or tasks can lead to serious incidents, suggesting that CEOs need to thoroughly review their overall IT systems and information protection frameworks. There are also plans for the Financial Supervisory Service to immediately conduct inspections on the security status of all card companies.
In addition to addressing the immediate concerns, fundamental institutional improvements are being pursued, such as implementing punitive fines and introducing enforcement penalties for non-compliance with mandated security level improvements. If a security breach is caused by violation of security obligations, punitive fines will be imposed as part of the systemic improvements being planned.