South Korea's Personal Information Protection Commission said on Tuesday it decided at its fourth plenary meeting to impose a fine of 96.2 billion won and an administrative penalty of 4.8 million won on Lotte Card for violating personal information protection rules. It also approved corrective and public disclosure orders.

The commission said it launched an investigation to confirm related facts after the Financial Supervisory Service notified it in September last year of a report of a leak of Lotte Card's personal credit information.

The investigation confirmed that an online simple payment system hack at Lotte Card led to the leak of personal credit information of about 2.97 million users recorded in log files. It said resident registration numbers of 450,000 of them were also leaked.

The Credit Information Use and Protection Act, referred to as the Credit Information Act, is a special law on the processing of personal credit information. For personal credit information, the Credit Information Act takes precedence over the Personal Information Protection Act, referred to as the Protection Act, while the Protection Act applies to personal information processing not stipulated in the Credit Information Act.

Financial authorities investigated whether the Credit Information Act was violated, focusing on obligations to take security measures related to the leak of Lotte Card's personal credit information. The commission investigated whether the Protection Act was violated, focusing on Lotte Card's handling of resident registration numbers.

According to the commission's findings, Lotte Card processed resident registration numbers beyond the scope permitted by law, including by recording multiple types of personal information, including resident registration numbers, in plaintext in logs related to online payments. It also did not sufficiently encrypt the log files.

The commission explained it imposed the fine and administrative penalty for Lotte Card's processing of resident registration numbers without a legal basis and for failing to apply sufficient encryption in the process. It also ordered the company to publicly disclose the disposition on its business homepage.

The commission said it plans to push ahead in March with a preliminary fact-finding inspection of businesses in the financial sector on whether they routinely process resident registration numbers despite lacking a legal basis or necessity.