Lotte Card Hit by Another Massive Breach a Decade After 2014, Security Controls Under Scrutiny

Malicious code infiltration confirmed on August 26
Security breach occurred just after ISMS-P certification
Regulatory shortcomings perpetuate repeated damage

malicious code infiltration was detected at Lotte Card, a company with 9.7 million members. While the firm stated that no core data was leaked externally nor that ransomware infections occurred, the incident follows the SK Telecom hack that exposed over 26 million subscriber records, intensifying concerns over Korea’s cybersecurity regime. Despite repeated sanctions in prior years, most punitive measures against card issuers have been limited to warnings or fines, raising questions over the effectiveness of enforcement.

Lotte Card suffered a hacking incident that resulted in the leak of 1.7GB of data

According to financial industry and security sources on September 2, Lotte Card reported the cyberattack to the Financial Supervisory Service (FSS) the previous morning. The firm had initially identified malicious code on several servers during maintenance checks on August 26. A subsequent audit revealed three compromised servers infected with two malware strains and five types of web shells—tools that allow hackers to gain administrator privileges. These were immediately removed. On August 31, traces of attempted data exfiltration amounting to roughly 1.7 gigabytes were detected from its online payment server.

Web shells, widely employed in cyberattacks, are notoriously difficult to detect as they enable unauthorized command execution on servers while erasing logs to cover tracks.

While Lotte Card, with the aid of external investigators, has yet to find evidence of customer data leaks or ransomware infections, Korea’s Personal Information Protection Act requires firms to promptly disclose confirmed breaches to affected parties. Regulators, including the FSS and the Financial Security Institute, have launched investigations into the incident.

Fresh Breach Just Two Weeks After ISMS-P Certification

The case echoes the catastrophic 2014 data breach at KB Kookmin Card, NH Nonghyup Card, and Lotte Card, when an outsourcing contractor leaked 105.8 million records, triggering CEO resignations, fines, and regulatory reforms. Though subsequent measures mandated ISMS-P compliance, stricter outsourcing oversight, and enhanced internal controls, the latest attack demonstrates the persistent vulnerabilities in financial IT infrastructure.

Compounding the controversy, Lotte Card had secured ISMS-P certification only two weeks earlier, on August 12. Granted under the Information and Communications Network Act and the Personal Information Protection Act by the Korea Internet & Security Agency (KISA), the ISMS-P and ISMS accreditations are intended to validate corporate preparedness against hacks, insider leaks, and system failures. SK Telecom, which recently suffered a breach of 23 million users’ data, also held this certification.

Lotte Card passed assessments across 101 criteria in three domains—system establishment and operations, security safeguards, and personal data processing requirements—to earn the credential. The firm had previously obtained ISO27001 in 2008 and PCI DSS in 2017, both regarded as international security benchmarks.

Korean Card Data Sells for $15 Per Record, Penalties Remain Lax

Security experts warn that stolen data fuels downstream crimes such as financial fraud and insurance scams. According to AhnLab, postings on ten dark web platforms revealed hundreds of listings of Korean personal data, often in bulk volumes ranging from thousands to hundreds of thousands of records. Korean credit card data was reportedly selling at around $15 per record, including card type, holder nationality, membership tier, and PIN details.

Korean personal information commands a “premium” of three to ten times over foreign data, reflecting the country’s extensive digital financial infrastructure, which provides hackers with broad avenues of exploitation through online banking and identity verification systems.

Yet regulatory penalties remain weak. FSS disclosures show that major card firms such as Hana Card and Hyundai Card faced more than three sanctions in the past five years for similar breaches. Hyundai Card alone received 14 citations, but enforcement was limited to “management advisories” or “improvement recommendations.” Even after the 2014 debacle, penalties rarely exceeded partial business suspensions or fines in the tens of thousands of dollars.

A decade on, systemic weaknesses persist. Notably, the 2014 breach was perpetrated by an outsourcing contractor who illicitly exported customer data on storage devices. Still, oversight of third-party vendors remains inadequate. Research by Sangmyung University highlights that as outsourcing relationships between card firms and subcontractors grow more complex, accountability for data protection becomes even more critical. Yet audits and reporting structures at Korean issuers remain conspicuously deficient.