The Personal Information Protection Commission (PIPC) of South Korea has fined Lotte Card 9.6 billion won and an additional administrative fine of 480,000 won following a massive personal information leak reported in September of last year. The investigation by the PIPC was initiated after the Financial Supervisory Service alerted them to a leak of personal credit information involving 2.97 million cardholders, which accounted for 30% of the company's total memberships. They concluded that the hack of Lotte Card's online payment system resulted in the leak of 450,000 residents' registration numbers, a severe breach of personal data protection regulations.

The PIPC discovered that Lotte Card's handling of resident registration numbers exceeded the permissible limits outlined in the Personal Information Protection Act. According to the legislation, such sensitive information can only be processed under specific circumstances where legal requirements exist or when it is deemed essential for the vital interests of the data subject. The investigation revealed that Lotte Card recorded substantial amounts of personal information, including resident registration numbers, in plaintext without sufficient encryption measures and failed to apply adequate security on the log files that stored this data.

The PIPC's decision to impose this fine highlights the critical failures in Lotte Card's data management practices, which ultimately led to the significant data breach. The commission ordered Lotte Card to publicize the details of the penalty on its website and will conduct a preliminary investigation into the unnecessary processing of sensitive resident registration numbers in the financial sector by March. This incident underscores the importance of strict adherence to data protection laws, especially in managing sensitive personal information to prevent future breaches.