Regarding the Lotte Card hacking incident that leaked the data of 2.97 million members, MBK Partners, the major shareholder, explained that it has increased security investment. However, Lotte Card's information security budget this year has decreased from last year.
According to the "Status of total budgets and information security budgets of dedicated card companies (based on annual allocations)" obtained by People Power Party lawmaker Kim Sang-hun of the National Policy Committee from the Financial Supervisory Service on the 22nd, Lotte Card's information security budget allocation this year is 12.8 billion won, down 15.2% from last year's 15.1 billion won.
Among the eight dedicated card companies (Samsung, Shinhan, Hyundai, KB Kookmin, Woori, Hana, Lotte, and BC Card), only Lotte Card, Hana Card (-11.8%), and Hyundai Card (-10.5%) reduced their information security budgets. By contrast, KB Kookmin Card increased its information security budget this year to 33.0 billion won, up 61.8% from last year's 20.4 billion won. Samsung Card (26.4%), Woori Card (11.5%), and Shinhan Card (10.4%) also increased their information security budgets.
MBK also explained that in addition to increasing the budget amount, it expanded its internal information security staff. However, by the ratio of information security personnel, it actually fell. In 2020, Lotte Card's total information technology (IT) staff numbered 74, of whom 20 were in information security, meaning 27% were information security personnel. As of June this year, Lotte Card's total IT staff is 226 and its information security staff is 35, or just 15%. Lotte Card's IT executives also number three, or 7% of all executives (45), ranking near the bottom among the eight dedicated card companies.
Despite MBK's active explanation, as management gaps have emerged at a card company that requires a high level of security capability, it appears difficult to avoid blame. In particular, Lotte Card's share of investment in information security also declined in step with MBK's first attempt to sell. According to Lotte Card's sustainability report, the ratio of information security investment to the IT budget fell from 12% in 2021 to 10% in 2022 and to 8% in 2023.
MBK acquired Lotte Card in May 2019, attempted its first sale in 2022, and is attempting a sale again this year even by lowering the asking price. This coincides with the inflection point when the information security investment share began to drop. As the blame issue has flared, MBK Chair Kim Byung-ju has been selected as a witness at the Science. ICT. Broadcasting. and Communications Committee's hearing on the 24th into major hacking incidents at telecom and financial companies.
Financial authorities have also signaled the highest level of sanctions over the incident. With heavy penalties expected, including a suspension of Lotte Card's operations, both MBK and Lotte Card's management appear unlikely to avoid responsibility. In the card industry, some point out that private equity funds may have a tendency to cut expenses such as security investment to maximize short-term revenue.
Lawmaker Kim Sang-hun said, "The leak of the financial information of millions ultimately stems from management's choice to reduce security investment," adding, "MBK and Lotte Card must respond not by evading responsibility but by expanding security investment and fundamentally overhauling their management structure."