This article was published on the ChosunBiz MoneyMove (MM) site at 6:13 p.m. on Sept. 24, 2025.
Questions have been raised about whether Lotte Card, which suffered a large-scale hacking incident, may have violated disclosure obligations under the Capital Markets Act. That is because its recently issued corporate bond prospectus stated that the possibility of customer information leakage was "not confirmed."
Because the company issued a large-scale apology immediately after submitting the prospectus, it is possible that it was already aware of the leakage of personal information of 2.97 million customers at the time the prospectus was submitted.
According to the investment banking industry on the 24th, Lotte Card recently issued unnamed, unsecured corporate bonds totaling 170 billion won: series 572-1 (20 billion won) and series 572-2 (100 billion won). It disclosed the prospectus on the 16th and conducted a public subscription and payment for securities firms on the 17th.
Lotte Card's corporate bonds were issued at below-market rates despite the large-scale hacking incident. Both the 2-year-3-month and 3-year bonds were set at annual rates of 2.87%–2.97%, about 0.02 percentage points lower than the individual average market rate. The 4-year series 572-4 rate was adjusted down by 0.03 percentage points from the individual average market rate.
The problem is that the company issued a public apology on the 18th, immediately after the corporate bond subscription and payment on the 17th.
For credit card companies like Lotte Card, customer information leakage is considered a core investment risk. Immediate imposition of penalty surcharges worth hundreds of millions of won could hurt revenue, and customer defections could follow. Interest rates, which determine the success of corporate bond offerings, could also be set higher due to downgraded creditworthiness.
It appears Lotte Card had already confirmed the leakage of personal information of 2.97 million customers on the 17th, the day of the bond subscription. According to the Financial Services Commission, Lotte Card began work in early September after the Financial Security Agency confirmed a 200GB data breach, and completed the work on the 17th.
This raises the possibility of violating the Capital Markets Act. Not only did the company proceed with the bond issuance despite the large-scale hacking incident, it also appears to have downplayed the hacking in the corporate bond prospectus. It did not go through correction procedures.
The prospectus stated, "Around 12 p.m. on Aug. 31, traces were found of an external attacker attempting to exfiltrate data from the online payment server, prompting a detailed investigation," and "to date, external leakage of key information such as customer information or serious malware infection has not been confirmed."
This contrasts with findings during investigations by the Financial Supervisory Service and the Financial Security Agency in early September that confirmed information had been leaked. At that time the Financial Security Agency said an unknown hacker had infiltrated Lotte Card's payment server (WAS), installed malicious software and leaked 200GB of data from Aug. 14 to 27.
Corporate bonds issued by credit card companies fall under debt securities as defined in Article 4, Paragraph 2 of the Capital Markets Act and are subject to the act. Experts say that downplaying or omitting this hacking damage could be considered "false statements regarding important matters," constituting a breach of investor protection duties.
A legal source said, "If it is true that the hacking damage was downplayed in the statements, it would amount to acts intended to obtain property benefits from documents with omissions in the description or representation of important matters," adding, "It could be punished by imprisonment for more than one year or a fine of at least four times the avoided loss."
Meanwhile, Lotte Card's largest shareholder MBK Partners has previously been criticized for concealing important investment risks while raising funds during the Homeplus incident. At that time, on the day MBK Partners was notified by a credit rating agency of a possible downgrade in Homeplus's credit rating, Homeplus issued electronic short-term bonds backed by card payments, sparking controversy over incomplete sales.