Financial authorities said on the 18th regarding the Lotte Card data leak, "Through an inspection by the Financial Supervisory Service, we will identify every violation in detail and take stern action," adding, "We plan to ensure the highest level of strict sanctions for lax management of personal information and information security."
The Financial Services Commission and the Financial Supervisory Service held an emergency countermeasures meeting at the Government Complex Seoul that day with Lotte Card CEO Cho Jwa-jin and others, saying, "A thorough inspection of the overall situation is underway," and made the announcement.
Lotte Card said that day that the number of members whose information was leaked was 2.97 million. The leaked data volume was 200 gigabytes (GB), and it was found that connected information (CI), resident registration numbers, CVC, virtual payment codes, internal identification numbers, and types of easy payment services were leaked.
For 2.69 million customers, CI and virtual payment codes were leaked. However, fraudulent card use is not possible with this information. With the leaked information of the remaining 280,000, there is a possibility of fraudulent use through a special payment method. However, no cases of fraudulent use have been found so far.
Financial authorities and Lotte Card decided to block secondary damage for customer groups with a high possibility of data leakage through additional identity verification and other measures. They also decided to fully reimburse in the event of fraudulent use caused by the breach, and to support password changes, blocking overseas payments, and card reissuance.
To prevent a recurrence, financial authorities decided to launch an emergency inspection of security management posture across the financial sector and fundamental institutional improvements related to IT security. In the process, if violations are found, they will immediately demand remediation and begin sanction procedures.
Financial authorities said, "To strengthen financial firms' preemptive vigilance and, afterward, impose strict punishment, we will introduce punitive penalty surcharges that go beyond the general level when a major security incident occurs," adding, "If a financial firm fails to properly implement the government's requests to improve the level of remediation, we will impose continuous enforcement fines so that financial security is managed with a sense of urgency."
Kwon Dae-young, vice chair of the Financial Services Commission, said, "Every CEO in the financial industry must have a firm awareness that security is the most basic and core duty to protect consumers and safeguard financial reliability," adding, "Since a complacent attitude that views security investment as an expense or an extra task can lead to a serious situation, under the responsibility of the CEO, please conduct a full-scale inspection of the entire IT system and information protection framework."