Data breach at Lotte Card exposes personal information of over three million customers
South Korea's fifth-largest card issuer, Lotte Card, has suffered a significant data breach that affects more than 2.97 million of its customers. The breach, the biggest this year, occurred on Lotte Card's online payments server between July 22 and Aug. 27.
According to reports, more than 200 gigabytes of data were stolen during the incident. The stolen information includes connection information, virtual payment codes, internal identification numbers, and the type of easy payment service used. About 280,000 customers face direct risks of unauthorized use because their card numbers, expiration dates, and security codes were exposed.
Lotte Card has taken full responsibility for the data breach and has started notifying those most at risk to suspend and reissue their credit cards. For the 280,000 users prioritized for reissuance, Lotte Card will offer a full waiver of next year's annual fees. Additionally, the company will provide a 10-month interest-free installment plan to all affected customers.
Investigations found that lax cybersecurity management worsened the breach. The exploited vulnerability was first discovered in 2017, but one server was missed during the patching process, leaving a critical hole unaddressed for years.
As of Wednesday, about 55,000 customers had completed the process of suspending and reissuing their credit cards. Lotte Card serves more than 9.6 million customers and processes about 10% of the nation's daily credit card spending.
The breach affected 2.97 million users, but the remaining 2.69 million users, whose data is considered less sensitive, do not need to reissue their credit cards. Lotte Card will offer free monitoring for financial damage to all affected customers.
In a statement, Lotte Card expressed its deepest apologies for the inconvenience caused and assured its customers that it will invest 110 billion won ($79.4 million) over the next five years to strengthen information security.
So far, no unauthorized transactions have been detected. The attackers first scanned the payments server for vulnerabilities on Aug. 12. On Aug. 14 and 15, a total of 1.7 gigabytes of data were breached.
The data breach at Lotte Card is a stark reminder of the importance of robust cybersecurity measures. As more and more transactions move online, it is crucial for businesses to prioritize the protection of their customers' personal information.
