Lotte Card CEO Cho Jwa-jin argued that there is no problem with the Personal Information Protection Management System (ISMS-P), a security certification run by the Personal Information Protection Commission. He then stressed that the company bears greater responsibility for the latest leak.
Rep. Cho In-cheol of the Democratic Party of Korea criticized at a Science. ICT. Broadcasting. and Communications Committee hearing on the morning of the 24th that "it has not been long since Lotte Card received a passing judgment in the ISMS-P certification, yet a leak occurred," adding, "It must be one of two things: either Lotte Card did not properly follow the certification standards, or the ISMS-P's evaluation items were utterly useless."
In response, CEO Cho said, "ISMS-P does not conduct checks on every item," and stated, "Rather than being directly related to the certification, I believe the company's internal information protection management was inadequate." He added, "In this matter, I believe the company bears greater responsibility."
ISMS-P certification is an official certification system that evaluates whether an organization can respond effectively to cyber intrusion threats and whether corporations' information protection systems and customer personal information protection management systems are operated appropriately. It is regarded as the highest-level management system certification in Korea. Just before Lotte Card experienced the leak, it was reported to have received the top grade under the certification program, fueling arguments that the system is useless.
Earlier, on the afternoon of the 14th of last month, Lotte Card had internal files leaked due to hacking. The scale of the leak is about 200GB (gigabytes), and the number of victims is 2.97 million. The hacking led to the leakage of some members' resident registration numbers, CVCs (the three-digit number on the back of the card), internal identification numbers, and more.