Cho Jwajin, head of Lotte Card, said on the 18th that he would carry out a personnel overhaul, including the resignation of himself and the executive team, in connection with the hacking incident.
Cho made the remarks after issuing a public apology to customers for the cyber intrusion at Booyoung Taepyeong Building in Jung District, Seoul, on the afternoon of the same day. Cho said, "We will not stop at recognizing this as a simple information security issue, but will use it as an opportunity to rebuild the mechanisms of Lotte Card's management," adding, "We will reshape our personnel with a customer-centered approach."
Cho said that while there is a possibility of fraudulent payments via the key-in method, no damage cases have been identified so far. Key-in payment means entering card information directly into the terminal to make a payment, and it accounts for 0.15% of the total payment volume.
Cho said, "In most cases, key-in payments are made while the physical card is in hand," adding, "We have also not yet found cases where unusually large payments were made or multiple payments were made at once."
Cho said Lotte Card would waive next year's annual fee without limit for 280,000 members among those affected who may be vulnerable to fraudulent card use. Cho said, "We are still calculating the exact figure, but we estimate the minimum waiver amount at more than 5.6 billion won."
Cho also said, "We are working with the police and a cloud service provider to find them, but we have not yet identified the hacker group."
On the afternoon of the 14th of last month, internal files were leaked due to hacking at Lotte Card. The size of the leak was about 200GB (gigabytes). Attempts to exfiltrate files continued for three days through the 16th. Lotte Card recognized the leak during a server synchronization process only on the 26th, 12 days later.
In this hacking incident, resident registration numbers of 2.97 million members, CVCs (three-digit numbers on the back of cards), and internal identification numbers were leaked. Among them, for 280,000 people whose relatively larger amount of information was exposed, there is said to be a possibility of fraudulent use.