Lotte Card, which experienced a hacking incident, has been sanctioned by the Financial Supervisory Service for poor security management a year ago. The information technology (IT) staff was also at the lowest level in the card industry. This suggests that the recent breach was likely a predictable disaster caused by a combination of a vulnerable security system and a complacent security awareness. Financial authorities have repeatedly emphasized their stance that they will impose strict sanctions if the breach resulted from management negligence.
According to the Financial Supervisory Service's announcement on 'matters requiring management caution for financial companies' on the 3rd, Lotte Card received managerial caution and improvement measures last August due to inadequate measures to prevent data leakage and poor data management. During the regular inspection the previous year, it was discovered that card payment details had been exposed to others, which led to warnings and fines that accompanied the sanctions.
The Financial Supervisory Service pointed out that there was inadequate password setup for the boot phase of employee PCs. The FSS noted, "There is no enforcement of boot password settings for terminals, which raises concerns that unencrypted electronic data could be leaked after bypassing the boot process using boot USBs (removable storage devices)." It highlighted the issue that if someone attempted hacking by accessing the computer with a program that breaks passwords and the operating system stored on a USB, data could be leaked immediately since there is no boot password.
They also identified the lack of management of the core financial information recorded in the large-scale databases (DBs), including account numbers and balances, as a problem. Lotte Card allowed employees from an external outsourcing company to modify the electronic ledger, but according to the Electronic Financial Transactions Act, changes to important data, such as electronic ledgers, are prohibited for third parties including external employees. They also criticized the practice of extending contracts with IT outsourcing companies for several years without proper evaluation procedures.
Lotte Card announced that traces of attempts to leak data were found along with five types of web shells (hacking programs created by hackers to remotely control servers) and two types of malware on three servers related to this hacking incident. A security industry official remarked, "Compared to the ransomware hacking attacks received by SGI Seoul Guarantee and Welcome Financial Group, this method of breach is not advanced," adding, "There is a possibility that basic security systems or checks were inadequate compared to those of large financial companies."
Both inside and outside the financial sector, the small number of internal IT personnel at Lotte Card has been pointed out as a problem. According to data published by the FSS on the Public Data Portal, as of September 2022, Lotte Card had 78 IT personnel, including information technology and information security staff, the fewest among the eight card companies. Other companies' IT personnel range from 100 to 300, with Lotte Card being the only one with a two-digit IT staff.
The FSS is considering the possibility that customer information was included in the files that were exported from Lotte Card during this hacking incident. The FSS reported to the office of lawmaker Kang Min-guk of the People Power Party, "Based on the files that failed to be exported, it appears that card information and online payment request details are included." A financial authority official stated, "If incidents such as personal information leakage occurred due to management negligence, it could lead to sanctions." FSS Chairman Lee Chan-jin remarked during an executive meeting the previous day that "we will impose strict sanctions for financial security incidents resulting from management negligence."