SEOUL — The Financial Supervisory Service (FSS) has issued a preliminary notice of heavy sanctions against Lotte Card following a catastrophic hacking incident last year that compromised the personal and financial data of millions. The proposed penalties, which include a 4.5-month business suspension and a massive fine, represent one of the most severe disciplinary actions taken against a South Korean credit card issuer in recent years.
Paralyzing Sanctions and Financial Penalties
According to financial industry sources on Thursday, the FSS notified Lotte Card last week of its intent to impose a 4.5-month suspension of operations alongside a 5 billion KRW ($3.7 million) fine.
A suspension of this duration is considered a "death sentence" for immediate growth. During this period, the company will be legally barred from:
-Recruiting new cardmembers.
-Issuing new credit or debit cards.
-Launching new marketing campaigns or financial products.
Industry insiders suggest that such a prolonged halt in core business activities will lead to a significant loss of market share and a "fatal blow" to the company’s competitive standing in a highly saturated market.
Holding Leadership Accountable
The sanctions do not stop at the corporate level. The FSS has also targeted former and current executives, including former CEO Cho Jwa-jin, who was at the helm when the breach occurred. The "personnel-level sanctions" are expected to include severe warnings or bans from future employment within the financial sector.
By targeting leadership, the FSS is signaling that this disaster was not merely a technical glitch, but a systemic failure of internal control and a lack of security consciousness at the management level.
A Multitude of Legal Violations
The FSS conducted a microscopic investigation from September to December of last year, scrutinizing every aspect of Lotte Card's security infrastructure. The regulator has applied a comprehensive list of charges involving:
-The Credit Specialized Financial Business Act
-The Credit Information Act
-The Electronic Financial Transactions Act (EFTA)
The investigation reportedly uncovered "critical deficiencies" in the company’s security protocols and a failure to meet the safety requirements mandated by the EFTA.
The Scale of the Disaster
The incident, which occurred in September 2023, remains one of the largest breaches in the Korean financial sector. The sheer scale and sensitivity of the leaked data are staggering:
Total Affected Customers: 2.97 million (roughly one-third of Lotte Card's total customer base).
Critical Data Leaks: For approximately 280,000 customers, hackers obtained card numbers, expiration dates, and CVC codes—the exact information required for fraudulent transactions.
A "Double-Whammy" of Penalties
The FSS’s move comes just weeks after the Personal Information Protection Commission (PIPC) imposed its own record-breaking penalty. Last month, the PIPC fined Lotte Card 9.62 billion KRW for violations of the Personal Information Protection Act. Combined with the FSS’s proposed 5 billion KRW fine, the company is facing nearly 15 billion KRW in direct financial penalties, excluding the massive indirect losses from the business halt.
What’s Next?
The FSS is scheduled to refer the sanction proposal to its Sanctions Review Committee on April 16. Following this, the final disciplinary action will be confirmed after a formal resolution by the Financial Services Commission (FSC).
"Between the PIPC's historic fine and the FSS's months-long operational freeze, Lotte Card is facing an unprecedented crisis," said a high-ranking official in the financial sector. "Beyond the monetary losses, the irreversible damage to their brand image and the loss of consumer trust will haunt the company for years to come."
[Copyright (c) Global Economic Times. All Rights Reserved.]
