Lotte Card, whose internal files were leaked in a recent hack, said on the 18th that the total number of members whose information was exposed is 2.97 million.
Cho Jwa-jin, head of Lotte Card, held a press conference this afternoon at the Booyoung Taepyung Building in Jung-gu, Seoul, and said, "The leaked information has nothing to do with offline payments at all, and is limited to data generated and collected during online payment processes through the relevant online server between Jul. 22 and Aug. 27." The volume of leaked information is about 200GB (gigabytes).
Lotte Card said the detailed items leaked include CI (connecting information), resident registration numbers, CVC, virtual payment codes, internal identification numbers, and types of easy payment services, and that the leaked items differ by individual. Because the items leaked vary by data subject, it has taken steps to allow members to check the detailed items of leaked information for each member on the company website under "Check for personal credit information leak," and it is sending individual notification messages.
For the majority of affected customers, 2.69 million, CI and virtual payment codes were among the items leaked. However, the company said those items alone cannot enable fraudulent card use and there is no need to reissue cards. For 280,000 customers, it said ordinary payment use in Korea is not possible. There is some possibility of fraudulent use through certain special payment methods, but no cases of fraudulent use have been confirmed so far.
Lotte Card said it will fully compensate for all damages arising from this breach. It also said it will fully compensate for any secondary damage due to the leak of customer information if a connection is confirmed.
Starting today, Lotte Card will send individual information-leak notices to all 2.97 million customers whose data was exposed. For the 280,000 customers with potential fraud risk, it will send additional reissuance guidance texts and also make follow-up calls so that "card reissuance" measures proceed as the top priority.
It also said it will step up monitoring by elevating FDS (fraud detection system) operations. Lotte Card currently approves payments at overseas online merchants with no prior transaction history only after phone identity verification, and it is strengthening both pre- and post-transaction monitoring for domestic payments to guard against potential fraudulent charges.
In addition, it will place menus for card reissuance, blocking overseas payments, and changing passwords at the top of the main screen of the Lotte Card application (app) so customers can easily take security measures, and it plans to expand concurrent logins for smooth app use to as many as 600,000 users. It will also increase staffing at the 24-hour breach-dedicated call center so customers can receive support more quickly.
Work to strengthen system security will also proceed quickly. It will completely replace the servers, operating systems, and software environment of the online payment system to further enhance security, and it plans to complete within three months the upgrades to strengthen access to and authentication for major system accounts, as well as network security and data encryption management.
It will also provide all affected customers with a free 10-month interest-free installment plan through the end of the year, regardless of amount. CreditCare, a financial loss compensation service that covers damages from financial scams such as phishing and hacking or cyber extortion, will also be provided free through the end of the year, and card-use alert services will be offered for free through the end of the year so customers can check card transactions in real time without missing any. For the 280,000 customers who are the highest priority for reissuance, the next year's annual fee will be fully waived when cards are reissued.
Lotte Card plans to execute 110 billion won in information security-related investments over the next five years, expanding its information security budget ratio to an industry-leading 15%. Through this, it will establish its own security control system to strengthen a 24-hour real-time integrated security monitoring system, and it will create a dedicated red team to institutionalize preventive activities that assume hacker intrusions. It also said it will completely overhaul the current companywide IT system infrastructure to center it on information security.