The Personal Information Protection Commission said on the 12th it will impose a 9.62 billion won penalty surcharge and 4.8 million won in fines on Lotte Card, which leaked the personal information of about 2.97 million customers last year.
At a full commission meeting held the previous day, the Personal Information Protection Commission decided to impose a penalty surcharge and fines, along with corrective measures and an order to disclose, for Lotte Card's violations of the Personal Information Protection Act.
In September last year, Lotte Card was hacked through its online easy payment system, leaking the personal credit information of about 2.97 million users stored in log files. An investigation found that resident registration numbers were also leaked for 450,000 of them.
Because the Credit Information Act takes precedence for the processing of personal credit information, the financial authorities and the Personal Information Protection Commission split their roles in the investigation. The financial authorities looked into whether there were violations of the duty to take safety measures related to the leak under the Credit Information Act, while the Personal Information Protection Commission examined whether there were violations of the Personal Information Protection Act in the processing of resident registration numbers.
From Lotte Card's perspective, with the Credit Information Act applied first, it appears to have avoided a penalty surcharge in the hundreds of billions of won. Under the Credit Information Act, the penalty surcharge for loss or theft of personal credit information due to hacking is capped at 5 billion won. The level of sanctions by the financial authorities has not yet been finalized.
The Personal Information Protection Commission's investigation found that Lotte Card processed resident registration numbers beyond the scope allowed by law, such as recording numerous personal details, including resident registration numbers, in plain text in computer log files generated during online payments.
The current Personal Information Protection Act allows the processing of resident registration numbers only when required or permitted by law or presidential decree, or when clearly necessary to protect the urgent life, body, or property of the data subject or a third party. It was also found that encryption measures for the log files were not sufficiently implemented.
Logs should record only the minimum personal information when unavoidable, but Lotte Card had been storing multiple personal details, including resident registration numbers, without separate review. The Personal Information Protection Commission sees this practice as one of the causes that led to the large-scale personal information leak in the hacking incident.
The Personal Information Protection Commission imposed a 9.62 billion won penalty surcharge and 4.8 million won in fines on Lotte Card for processing resident registration numbers without a legal basis and for failing to apply sufficient encryption in the process, and ordered the company to disclose the disposition on its website.
The Personal Information Protection Commission plans to launch a pre-emptive fact-finding inspection this month of financial sector operators to correct practices of unnecessarily processing resident registration numbers, as in the Lotte Card case.