Resident Registration Numbers Stored in Plain Text Logs: Lotte Card Fined 9.6 Billion Won

\r\n
[The Financial News] Lotte Card has been hit with an administrative fine of about 9.6 billion won after customer data was leaked because resident registration numbers were stored in online payment system logs without encryption. Around 2.97 million individuals’ personal credit information was exposed in the hack, and among them, the resident registration numbers of about 450,000 people were also leaked.
The Personal Information Protection Commission (PIPC) announced on the 12th that it held its 4th plenary meeting on the 11th and decided to impose an administrative fine of 9.62 billion won and an administrative surcharge of 4.8 million won on Lotte Card for violating the Personal Information Protection Act, along with corrective orders and a public disclosure order.
In this case, the financial authorities and the PIPC divided their roles in the investigation. The financial authorities are examining, under the Credit Information Use and Protection Act, whether there were violations of security obligations related to the leakage of personal credit information. The PIPC focused its investigation on whether there were violations of the Personal Information Protection Act in the handling of resident registration numbers.
According to the PIPC’s findings, Lotte Card had been recording a large amount of personal information, including resident registration numbers, in log files generated during online payment processes. The investigation also found that this information was stored without encryption, meaning that in the event of a hacking incident, highly sensitive data could be exposed as is.
Under the current Personal Information Protection Act, the processing of resident registration numbers is, in principle, prohibited and allowed only in limited circumstances where there is a clear legal basis. However, Lotte Card was found to have processed resident registration numbers in log records without such a legal basis. Log files are supposed to contain only the minimum necessary personal information and only when unavoidable, yet Lotte Card had been storing a wide range of personal data without any separate review. The PIPC concluded that this practice was one of the main reasons the hacking incident resulted in a large-scale personal data breach.
The PIPC determined that processing resident registration numbers without legal grounds and failing to implement sufficient encryption measures constituted violations of the Personal Information Protection Act, and therefore imposed the administrative fine and surcharge. It also ordered the company to disclose the sanctions on its website and issued corrective measures requiring a comprehensive review and improvement of its personal information processing system. In addition, Lotte Card was instructed to overhaul its overall personal information protection management framework, including strengthening the responsibility and independence of its Chief Privacy Officer (CPO).
At a briefing held at Government Complex Seoul the same day, Yoon Yeo-jin, Director of Investigation Division 1 at the PIPC, stated, "The fact that Lotte Card had been storing a large amount of personal information, including resident registration numbers, in its logs was one of the reasons this hacking incident led to a large-scale personal data leak," adding, "It has been well over 10 years since the resident registration number legalism was introduced in 2014, yet resident registration numbers are still being routinely and excessively processed as a matter of practice."
Regarding the difference in sanctions compared with SK Telecom (SKT), which was fined 134.8 billion won, Yoon explained, "The roles of the financial authorities and the PIPC are divided, and the financial authorities are currently investigating violations of security measures related to the leakage of personal credit information," and added, "Related sanctions will be imposed at a later date."
Meanwhile, the PIPC plans to use this case as an opportunity to review how resident registration numbers are handled across the financial sector. This month, it will conduct a preliminary fact-finding inspection of financial sector businesses, focusing on whether resident registration numbers are being processed without legal grounds or used excessively.
yjjoe@fnnews.com Cho Yoon-joo Reporter