A hacking incident at Lotte Card has led to the leakage of 200 gigabytes of personal information belonging to 2.97 million people, about 30 percent of the company’s total 9.67 million customers. Among them, 280,000 had their card passwords and security codes (CVC) exposed, raising the risk of fraudulent use.

The Financial Services Commission (FSC) said at an emergency meeting on the breach on September 18 that “an unidentified hacker infiltrated Lotte Card’s online payment server (WAS), installed malware, and stole a total of 200 gigabytes of information between August 14 and 27.”

Lotte Card initially reported to financial authorities on September 1 that only 1.7 gigabytes of data had been leaked. However, a subsequent on-site investigation involving regulators confirmed the actual figure was 200 gigabytes.

The stolen data contained the personal credit information of 2.97 million customers.

The leaked information had been generated and collected during online payment transactions between July 22 and August 27, and included connection information (CI), resident registration numbers, virtual payment codes, internal identification numbers, and types of simple payment services used.

During the same period, 280,000 customers who registered their card information with new payment services or e-commerce sites also had their card passwords, CVC numbers, and expiration dates compromised. Although these customers are at risk of card misuse, Lotte Card said that no cases of fraudulent transactions have been confirmed so far. The FSC added, “Experts assess that the risk of fraudulent use with the leaked information alone is very low.”

Lotte Card CEO Cho Jwa-jin held a press conference the same day, apologizing and pledging that “Lotte Card will take full responsibility and compensate for all damages caused by this incident.” The company said it will send notification messages to all 2.97 million affected customers and guide the 280,000 most at risk to reissue their cards.

Severe disciplinary action against Lotte Card now appears inevitable. The FSC said, “Given the massive scale of the data breach, we take the situation very seriously and will hold the company strictly accountable through a Financial Supervisory Service investigation.” The commission also announced plans to pursue institutional reforms to strengthen the security management of financial companies, including the introduction of punitive fines.