The Broadcasting Media Communications Commission imposed an 11,250,000 won administrative fine on Lotte Card for violating obligations to implement safety measures for linked information (CI).

Bamiteongwi held its fifth commission meeting of 2026 on Tuesday and approved an administrative fine and a recommendation for improvements for Lotte Card for violating Article 23-6(2) of the Act on Promotion of Information and Communications Network Utilization and Information Protection.

The measure follows the results of a special inspection carried out after it became aware of the CI leak linked to last year's Lotte Card data leak incident. The inspection took place from September to November last year.

The inspection found that during operation of its "pay service" supporting mobile and online card payments, Lotte Card exposed logs on its online payment server that contained CI and resident registration numbers without encrypting them. Hackers stole the information by exploiting the time period when the logs were recorded in plain text. About 1.29 million people had CI included among the leaked data, and 450,000 of them also had resident registration numbers leaked.

Bamiteongwi confirmed failures to implement required safety measures, including not establishing internal rules for secure CI handling and not establishing a response plan in the event of an incident. It said shortcomings in safety measures led to a large-scale leak and the violations continued for more than three months after the law took effect, and it increased the base fine amount by half to impose an 11,250,000 won fine.

It also approved a recommendation for improvements on three items scheduled to take effect on May 1, 2027: separate storage of resident registration numbers and CI, encryption when storing CI, and keeping records and storing materials related to CI-providing institutions and timing.

Kim Jong-cheol (김종철), chairman of Bamiteongwi, said, "Linked information is important information that can identify customers, so we will take strict action under a zero-tolerance principle against businesses with inadequate security management systems." He added, "We will continue to strengthen management and supervision so that the public's valuable information can be safely protected."